Context Navigation

source: java/net/deterlab/abac/Identity.java @ b7e77df

abac0-leakabac0-meitvf-new-xml

Last change on this file since b7e77df was 4bd50f4, checked in by Ted Faber <faber@…>, 11 years ago
Deal with non-self-signed certificates in java (and test)
Property mode set to `100644`
File size: 13.2 KB

Rev	Line
[9725efb]	1	package net.deterlab.abac;
	2
	3	import java.io.*;
	4
	5	import java.util.*;
	6	import java.security.*;
	7	import java.security.cert.*;
[3a52bed]	8	import javax.security.auth.x500.*;
[9725efb]	9
[3a52bed]	10	import java.math.BigInteger;
[9725efb]	11
	12	import org.bouncycastle.asn1.*;
	13	import org.bouncycastle.asn1.util.*;
	14	import org.bouncycastle.asn1.x509.*;
	15	import org.bouncycastle.x509.*;
[238717d]	16	import org.bouncycastle.openssl.*;
	17
[9725efb]	18
[e36ea1d]	19	/**
	20	* An ABAC identity. An X509 Certificate-encoded public key. The key
	21	* identifier is used as the name of the Identity. This whole class is
	22	* something of a jabac extension.
	23	* @author <a href="http://abac.deterlab.net">ISI ABAC team</a>
[4560b65]	24	* @version 1.4
[e36ea1d]	25	*/
[5cf72cc]	26	public class Identity implements Comparable {
[3f928b0]	27	/** Default validity period (in seconds) */
	28	static public long defaultValidity = 3600L * 24L * 365L;
[e36ea1d]	29	/** The underlying X509 certificate. */
	30	protected X509Certificate cert;
	31	/** The public key id used as this principal's name */
	32	protected String keyid;
	33	/** The common name in the certificate, used as a mnemonic */
	34	protected String cn;
	35	/** The keypair, if any, used to sign for this Identity */
	36	protected KeyPair kp;
[3f928b0]	37	/** The expiration for this Identity */
	38	protected Date expiration;
[9725efb]	39
[238717d]	40	/** Make sure BouncyCastle is loaded */
	41	static { Context.loadBouncyCastle(); }
	42
[1a7e6d3]	43	/**
[e36ea1d]	44	* Initialize from PEM cert in a reader. Use a PEMReader to get
	45	* the certificate, and call init(cert) on it.
	46	* @param r a Reader containing the certificate
[7ebf16d]	47	* @throws CertInvalidException if the stream is unparsable
	48	* @throws MissingIssuerException if none of the Identities can validate the
[e36ea1d]	49	* certificate
[7ebf16d]	50	* @throws BadSignatureException if the signature check fails
	51	* @throws ABACException if an uncategorized error occurs
[1a7e6d3]	52	*/
[7ebf16d]	53	protected void init(Reader r) throws ABACException {
[42ca4b8]	54	PEMReader pr = new PEMReader(r);
	55	Object c = null;
	56
[7ebf16d]	57	try {
	58	while ( ( c= pr.readObject()) != null ){
	59
	60	if (c instanceof X509Certificate) {
	61	if ( cn == null )
	62	init((X509Certificate)c);
	63	else
	64	throw new CertInvalidException("Two certs in one");
	65	}
	66	else if (c instanceof KeyPair) setKeyPair((KeyPair)c);
	67	else
	68	throw new CertInvalidException(
	69	"Not an identity certificate");
[42ca4b8]	70	}
[7ebf16d]	71	}
	72	catch (IOException e) {
	73	throw new CertInvalidException(e.getMessage(), e);
[42ca4b8]	74	}
[f31432f]	75	// If there's nothing for the PEM reader to parse, the cert is invalid.
	76	if (cn == null)
[7ebf16d]	77	throw new CertInvalidException("Not an identity certificate");
[8a14e37]	78	}
	79
	80	/**
[e36ea1d]	81	* Initialize internals from cert. Confirm it is self signed, and then
	82	* the keyid and common name. There's some work to get this stuff, but
	83	* it's all an incantation of getting the right classes to get the right
	84	* data. Looks more complex than it is.
	85	* @param c an X509Certificate to init from
[7ebf16d]	86	* @throws CertInvalidException if the stream is unparsable
	87	* @throws MissingIssuerException if none of the Identities can validate the
[e36ea1d]	88	* certificate
[7ebf16d]	89	* @throws BadSignatureException if the signature check fails
	90	* @throws ABACException if an uncategorized error occurs
[8a14e37]	91	*/
[7ebf16d]	92	protected void init(X509Certificate c) throws ABACException {
	93	cert = (X509Certificate) c;
	94	try {
[0595372]	95	cert.verify(cert.getPublicKey());
[7ebf16d]	96	}
	97	catch (SignatureException e) {
	98	throw new BadSignatureException(e.getMessage(), e);
	99	}
	100	catch (CertificateException e) {
	101	throw new CertInvalidException(e.getMessage(), e);
	102	}
[4bd50f4]	103	catch (InvalidKeyException e) {
	104	// XXX: the cert is not signed by the key we provided. Right now
	105	// we check each cert as if it were self-signed. Other signing
	106	// strategies are allowed here by default. We expect outside
	107	// sources to validate ID certs if they expect different chains of
	108	// trust.
	109	}
[7ebf16d]	110	catch (GeneralSecurityException e) {
	111	throw new ABACException(e.getMessage(), e);
	112	}
	113	// Cert is valid, fill in the CN and keyid
	114	keyid = Context.extractKeyID(cert.getPublicKey());
	115	cn = cert.getSubjectDN().getName();
	116	expiration = cert.getNotAfter();
	117	/// XXX: better parse
	118	if (cn.startsWith("CN=")) cn = cn.substring(3);
[9725efb]	119	}
	120
[1a7e6d3]	121	/**
[e36ea1d]	122	* Construct from a string, used as a CN. Keys are generated.
	123	* @param cn a String containing the menomnic name
[3f928b0]	124	* @param validity a long containing the validity period (in seconds)
[7ebf16d]	125	* @throws CertInvalidException if the stream is unparsable
	126	* @throws MissingIssuerException if none of the Identities can validate the
[e36ea1d]	127	* certificate
[7ebf16d]	128	* @throws BadSignatureException if the signature check fails
	129	* @throws ABACException if an uncategorized error occurs
[1a7e6d3]	130	*/
[7ebf16d]	131	public Identity(String cn, long validity) throws ABACException {
[3a52bed]	132	X509V1CertificateGenerator gen = new X509V1CertificateGenerator();
[7ebf16d]	133	try {
	134	kp = KeyPairGenerator.getInstance("RSA").genKeyPair();
	135	}
	136	catch (NoSuchAlgorithmException e) {
	137	throw new ABACException(e.getMessage(), e);
	138	}
	139	X509Certificate a = null;
[3a52bed]	140
	141	gen.setIssuerDN(new X500Principal("CN=" + cn));
	142	gen.setSubjectDN(new X500Principal("CN=" + cn));
[3f928b0]	143	gen.setNotAfter(new Date(System.currentTimeMillis() +
	144	1000L * validity));
[3a52bed]	145	gen.setNotBefore(new Date(System.currentTimeMillis()));
	146	gen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis()));
	147	gen.setPublicKey(kp.getPublic());
	148	gen.setSignatureAlgorithm("SHA256WithRSAEncryption");
[7ebf16d]	149	try {
	150	a = (X509Certificate) gen.generate(kp.getPrivate(), "BC");
	151	}
	152	catch (CertificateEncodingException e) {
	153	throw new CertInvalidException(e.getMessage(), e);
	154	}
	155	catch (GeneralSecurityException e) {
	156	throw new ABACException(e.getMessage(), e);
	157	}
	158
[3a52bed]	159	init(a);
	160	}
	161
[3f928b0]	162	/**
	163	* Construct from a string, used as a CN. Keys are generated.
	164	* @param cn a String containing the menomnic name
[7ebf16d]	165	* @throws CertInvalidException if the stream is unparsable
	166	* @throws MissingIssuerException if none of the Identities can validate the
[3f928b0]	167	* certificate
[7ebf16d]	168	* @throws BadSignatureException if the signature check fails
	169	* @throws ABACException if an uncategorized error occurs
[3f928b0]	170	*/
[7ebf16d]	171	public Identity(String cn) throws ABACException {
[3f928b0]	172	this(cn, defaultValidity);
	173	}
[9725efb]	174
[1a7e6d3]	175	/**
[a7f73b5]	176	* Construct from a file containing a self-signed PEM certificate.
[e36ea1d]	177	* @param file the File to read
[7ebf16d]	178	* @throws CertInvalidException if the stream is unparsable
	179	* @throws MissingIssuerException if none of the Identities can validate the
[e36ea1d]	180	* certificate
[7ebf16d]	181	* @throws BadSignatureException if the signature check fails
	182	* @throws ABACException if an uncategorized error occurs
	183	* @throws FileNotFoundException if the file is invalid
[1a7e6d3]	184	*/
[7ebf16d]	185	public Identity(File file) throws ABACException, FileNotFoundException {
	186	kp = null;
	187	init(new FileReader(file));
	188	}
[1a7e6d3]	189
	190	/**
[e36ea1d]	191	* Construct from a reader containing a self-signed PEM certificate.
	192	* @param r the Reader containing the certificate
[7ebf16d]	193	* @throws CertInvalidException if the stream is unparsable
	194	* @throws MissingIssuerException if none of the Identities can validate the
[e36ea1d]	195	* certificate
[7ebf16d]	196	* @throws BadSignatureException if the signature check fails
	197	* @throws ABACException if an uncategorized error occurs
[1a7e6d3]	198	*/
[7ebf16d]	199	public Identity(Reader r) throws ABACException {
	200	kp = null;
	201	init(r);
	202	}
[1a7e6d3]	203
	204	/**
[e36ea1d]	205	* Construct from an InputStream containing a self-signed PEM certificate.
	206	* @param s the InputStream containing the certificate
[7ebf16d]	207	* @throws CertInvalidException if the stream is unparsable
	208	* @throws MissingIssuerException if none of the Identities can validate the
[e36ea1d]	209	* certificate
[7ebf16d]	210	* @throws BadSignatureException if the signature check fails
	211	* @throws ABACException if an uncategorized error occurs
[1a7e6d3]	212	*/
[7ebf16d]	213	public Identity(InputStream s) throws ABACException {
	214	kp = null;
	215	init(new InputStreamReader(s));
	216	}
[1a7e6d3]	217
[8a14e37]	218	/**
[e36ea1d]	219	* Construct from an X509Certificate
	220	* @param cert an X509Certificate to init from
[7ebf16d]	221	* @throws CertInvalidException if the stream is unparsable
	222	* @throws MissingIssuerException if none of the Identities can validate the
[e36ea1d]	223	* certificate
[7ebf16d]	224	* @throws BadSignatureException if the signature check fails
	225	* @throws ABACException if an uncategorized error occurs
[8a14e37]	226	*/
[7ebf16d]	227	Identity(X509Certificate cert) throws ABACException {
	228	kp = null;
	229	init(cert);
	230	}
[8a14e37]	231
[8a93b41]	232	/**
	233	* Write the PEM key to the given writer.
[e36ea1d]	234	* @param w the Writer
	235	* @return true if the Identity had a keypair and wrote the key
	236	* @throws IOException if writing fails
[8a93b41]	237	*/
	238	public boolean writePrivateKey(Writer w) throws IOException {
	239	if (kp != null ) {
	240	PEMWriter pw = new PEMWriter(w);
	241
	242	pw.writeObject(kp.getPrivate());
	243	pw.flush();
	244	return true;
	245	}
	246	else return false;
	247	}
	248
	249	/**
	250	* Write the PEM key to a file with the given name.
	251	*/
	252	public boolean writePrivateKey(String fn)
	253	throws IOException, FileNotFoundException {
	254	return writePrivateKey(new FileWriter(fn));
	255	}
	256
	257	/**
	258	* Write the PEM key to the given file.
[e36ea1d]	259	* @param fn a String with the output file name
	260	* @return true if the Identity had a keypair and wrote the key
	261	* @throws IOException if writing fails
[8a93b41]	262	*/
	263	public boolean writePrivateKey(File fn)
	264	throws IOException, FileNotFoundException {
	265	return writePrivateKey(new FileWriter(fn));
	266	}
	267
	268	/**
	269	* Write the PEM key to the given OutputStream.
[e36ea1d]	270	* @param s an OutputStream to write on
	271	* @return true if the Identity had a keypair and wrote the key
	272	* @throws IOException if writing fails
[8a93b41]	273	*/
	274	public boolean writePrivateKey(OutputStream s)
	275	throws IOException, FileNotFoundException {
	276	return writePrivateKey(new OutputStreamWriter(s));
	277	}
	278
[1a7e6d3]	279
	280	/**
	281	* Write the PEM cert to the given writer.
[e36ea1d]	282	* @param w a Writer to write on
	283	* @throws IOException if writing fails
[1a7e6d3]	284	*/
	285	public void write(Writer w) throws IOException {
	286	PEMWriter pw = new PEMWriter(w);
	287
[0595372]	288	pw.writeObject(cert);
[5cf72cc]	289	pw.flush();
[1a7e6d3]	290	}
	291
	292	/**
	293	* Write the PEM cert to a file with the given name.
	294	*/
	295	public void write(String fn) throws IOException, FileNotFoundException {
	296	write(new FileWriter(fn));
	297	}
	298
	299	/**
	300	* Write the PEM cert to the given file.
[e36ea1d]	301	* @param fn a String with the output file name
	302	* @throws IOException if writing fails
[1a7e6d3]	303	*/
	304	public void write(File fn) throws IOException, FileNotFoundException {
	305	write(new FileWriter(fn));
	306	}
	307
	308	/**
	309	* Write the PEM cert to the given OutputStream.
[e36ea1d]	310	* @param s an OutputStream to write on
	311	* @throws IOException if writing fails
[1a7e6d3]	312	*/
	313	public void write(OutputStream s)
	314	throws IOException, FileNotFoundException {
	315	write(new OutputStreamWriter(s));
	316	}
[9725efb]	317
[e9360e2]	318
[e36ea1d]	319	/**
	320	* Return the Identity's KeyID
	321	* @return the Identity's KeyID
	322	*/
[0595372]	323	public String getKeyID() { return keyid; }
[e36ea1d]	324	/**
	325	* Return the Identity's mnemonic name
	326	* @return the Identity's mnemonic name
	327	*/
[0595372]	328	public String getName() { return cn; }
[e36ea1d]	329	/**
	330	* Return the Identity's X509 Certificate
	331	* @return the Identity's X509 Certificate
	332	*/
	333	public X509Certificate getCertificate() { return cert; }
[3f928b0]	334
	335	/**
	336	* Return the expiration time of the Identity
	337	* @return a Date the expiration time of the Identity
	338	*/
	339	public Date getExpiration(){ return expiration; }
	340
[e36ea1d]	341	/**
	342	* Return a simple string rep of the Identity.
	343	* @return a simple string rep of the Identity.
	344	*/
[42ca4b8]	345	public String toString() {
[0595372]	346	String s = keyid + " (" + cn ;
[42ca4b8]	347
[ac131a1]	348	if (getKeyPair() != null ) s += " [keyed]";
[42ca4b8]	349	s += ")";
	350	return s;
	351	}
	352	/**
	353	* Associate a keypair with this Identity. If the ID has a certificate,
	354	* make sure that the keypair matches it. If not throw an
	355	* IllegalArgumentException.
[e36ea1d]	356	* @param k the KeyPair to connect
	357	* @throws IllegalArgumentException if the keypair does not
	358	* match the pubkey in the X509 certificate
[42ca4b8]	359	*/
	360	public void setKeyPair(KeyPair k) {
[0595372]	361	if (keyid != null) {
	362	String kid = Context.extractKeyID(k.getPublic());
[42ca4b8]	363
[0595372]	364	if ( kid != null && kid.equals(keyid)) kp = k;
[42ca4b8]	365	else
	366	throw new IllegalArgumentException(
	367	"Keypair does not match certificate");
	368	}
	369	else kp = k;
	370	}
[e36ea1d]	371
	372	/**
	373	* Return the keypair associated with this Identity (if any)
	374	* @return the keypair associated with this Identity (if any)
	375	*/
[42ca4b8]	376	public KeyPair getKeyPair() { return kp; }
[e36ea1d]	377
	378	/**
[a7f73b5]	379	* Return true if the two identites refer to teh same key. Two Identities
	380	* are equal if their key ID's match.
[e36ea1d]	381	* @return true if the two key ID's are equal.
	382	*/
[5cf72cc]	383	public boolean equals(Object o) {
	384	if ( o == null ) return false;
	385	else if ( ! (o instanceof Identity) ) return false;
	386	else return getKeyID().equals(((Identity)o).getKeyID());
	387	}
[0100d7b]	388
	389	/**
	390	* Return a hash code for the Identity - the hash of its KeyID()
	391	* @return an int, the hashCode
	392	*/
	393	public int hashCode() {
	394	if (keyid == null) return super.hashCode();
	395	return keyid.hashCode();
	396	}
	397
	398
[e36ea1d]	399	/**
[a7f73b5]	400	* Order 2 identities for sorting. They are ordered by their key ID's.
[e36ea1d]	401	* @param o an Object to compare
	402	* @return -1 if this Identity is before, 0 if they are the same, and 1
	403	* if this Identity is after the given object.
	404	*/
[5cf72cc]	405	public int compareTo(Object o) {
	406	if ( ! (o instanceof Identity) ) return 1;
	407	else return getKeyID().compareTo(((Identity)o).getKeyID());
	408	}
[1a7e6d3]	409
[9725efb]	410	};

Note: See TracBrowser for help on using the repository browser.

Download in other formats: