source: java/net/deterlab/abac/Identity.java @ b89cfd8

package net.deterlab.abac;

import java.io.*;

import java.util.*;
import java.security.*;
import java.security.cert.*;
import javax.security.auth.x500.*;

import java.math.BigInteger;

import org.bouncycastle.asn1.*;
import org.bouncycastle.asn1.util.*;
import org.bouncycastle.asn1.x509.*;
import org.bouncycastle.x509.*;
import org.bouncycastle.openssl.*;


/**
 * An ABAC identity.  An X509 Certificate-encoded public key.  The key
 * identifier is used as the name of the Identity.  This whole class is
 * something of a jabac extension.
 * @author <a href="http://abac.deterlab.net">ISI ABAC team</a>
 * @version 1.4
 */
public class Identity implements Comparable {
    /** Default validity period (in seconds) */
    static public long defaultValidity = 3600L * 24L * 365L;
    /** The underlying X509 certificate. */
    protected X509Certificate cert;
    /** The public key id used as this principal's name */
    protected String keyid;
    /** The common name in the certificate, used as a mnemonic */
    protected String cn;
    /** The keypair, if any, used to sign for this Identity */
    protected KeyPair kp;
    /** The expiration for this Identity */
    protected Date expiration;

    /** Make sure BouncyCastle is loaded */
    static { Context.loadBouncyCastle(); } 

    /**
     * Initialize from PEM cert in a reader.  Use a PEMReader to get
     * the certificate, and call init(cert) on it.
     * @param r a Reader containing the certificate
     * @throws CertificateException if the certificate is badly formatted
     * @throws InvalidKeyException if none of the Identities can validate the
     *                              certificate
     * @throws NoSuchAlgorithmException if the credential uses an unknown
     *                              signature algorithm
     * @throws NoSuchProviderException if the provider of the signature
     *                              algorithm is unavailable
     * @throws SignatureException if the signature check fails
     * @throws IOException if the certificate is unparsable.
     */
    protected void init(Reader r) throws 
            CertificateException, NoSuchAlgorithmException,InvalidKeyException,
            NoSuchProviderException, SignatureException, IOException {
        PEMReader pr = new PEMReader(r);
        Object c = null;

        while ( ( c= pr.readObject()) != null ){

            if (c instanceof X509Certificate) {
                if ( cn == null ) 
                    init((X509Certificate)c);
                else
                    throw new CertificateException("Two certs in one file");
            }
            else if (c instanceof KeyPair) setKeyPair((KeyPair)c);
            else 
                throw new CertificateException(
                        "Not an identity certificate");
        }
        // If there's nothing for the PEM reader to parse, the cert is invalid.
        if (cn == null) 
            throw new CertificateException(
                    "Not an identity certificate");
    }

    /**
     * Initialize internals from cert.  Confirm it is self signed,  and then
     * the keyid and common name.  There's some work to get this stuff, but
     * it's all an incantation of getting the right classes to get the right
     * data.  Looks more complex than it is.
     * @param c an X509Certificate to init from
     * @throws CertificateException if the certificate is badly formatted
     * @throws InvalidKeyException if none of the Identities can validate the
     *                              certificate
     * @throws NoSuchAlgorithmException if the credential uses an unknown
     *                              signature algorithm
     * @throws NoSuchProviderException if the provider of the signature
     *                              algorithm is unavailable
     * @throws SignatureException if the signature check fails
     * @throws IOException if the certificate is unparsable.
     */
    protected void init(X509Certificate c) throws
        CertificateException, NoSuchAlgorithmException,InvalidKeyException,
        NoSuchProviderException, SignatureException, IOException {
            cert = (X509Certificate) c;
            cert.verify(cert.getPublicKey());
            // Cert is valid, fill in the CN and keyid
            keyid = Context.extractKeyID(cert.getPublicKey());
            cn = cert.getSubjectDN().getName();
            expiration = cert.getNotAfter();
            /// XXX: better parse
            if (cn.startsWith("CN=")) cn = cn.substring(3);
    }

    /**
     * Construct from a string, used as a CN.  Keys are generated.
     * @param cn a String containing the menomnic name
     * @param validity a long containing the validity period (in seconds)
     * @throws IOException reading or writing problems
     * @throws CertificateEncodingException Problem creating certificate
     * @throws InvalidKeyException if none of the Identities can sign the
     *                              certificate
     * @throws NoSuchAlgorithmException if the credential uses an unknown
     *                              signature algorithm
     * @throws NoSuchProviderException if the provider of the signature
     *                              algorithm is unavailable
     * @throws SignatureException if the signature creation fails
     */
    public Identity(String cn, long validity) throws
            CertificateException, NoSuchAlgorithmException,InvalidKeyException,
            NoSuchProviderException, SignatureException, IOException {
        X509V1CertificateGenerator gen = new X509V1CertificateGenerator();
        kp = KeyPairGenerator.getInstance("RSA").genKeyPair();

        gen.setIssuerDN(new X500Principal("CN=" + cn));
        gen.setSubjectDN(new X500Principal("CN=" + cn));
        gen.setNotAfter(new Date(System.currentTimeMillis() +
                1000L * validity));
        gen.setNotBefore(new Date(System.currentTimeMillis()));
        gen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis()));
        gen.setPublicKey(kp.getPublic());
        gen.setSignatureAlgorithm("SHA256WithRSAEncryption");
        X509Certificate a = (X509Certificate) gen.generate(kp.getPrivate(), "BC");
        init(a);
    }


    /**
     * Construct from a string, used as a CN.  Keys are generated.
     * @param cn a String containing the menomnic name
     * @param validity a long containing the validity period (in seconds)
     * @throws IOException reading or writing problems
     * @throws CertificateEncodingException Problem creating certificate
     * @throws InvalidKeyException if none of the Identities can sign the
     *                              certificate
     * @throws NoSuchAlgorithmException if the credential uses an unknown
     *                              signature algorithm
     * @throws NoSuchProviderException if the provider of the signature
     *                              algorithm is unavailable
     * @throws SignatureException if the signature creation fails
     */
    public Identity(String cn) throws
            CertificateException, NoSuchAlgorithmException,InvalidKeyException,
            NoSuchProviderException, SignatureException, IOException {
        this(cn, defaultValidity);
    }

    /**
     * Construct from a file containing a self-signed PEM certificate.
     * @param file the File to read
     * @throws CertificateException if the certificate is badly formatted
     * @throws InvalidKeyException if none of the Identities can validate the
     *                              certificate
     * @throws NoSuchAlgorithmException if the credential uses an unknown
     *                              signature algorithm
     * @throws NoSuchProviderException if the provider of the signature
     *                              algorithm is unavailable
     * @throws SignatureException if the signature check fails
     * @throws IOException if the certificate is unparsable.
     */
    public Identity(File file) throws 
        CertificateException, NoSuchAlgorithmException,InvalidKeyException,
        NoSuchProviderException, SignatureException, FileNotFoundException,
        IOException { 
            kp = null;
            init(new FileReader(file));
        }

    /**
     * Construct from a reader containing a self-signed PEM certificate.
     * @param r the Reader containing the certificate
     * @throws CertificateException if the certificate is badly formatted
     * @throws InvalidKeyException if none of the Identities can validate the
     *                              certificate
     * @throws NoSuchAlgorithmException if the credential uses an unknown
     *                              signature algorithm
     * @throws NoSuchProviderException if the provider of the signature
     *                              algorithm is unavailable
     * @throws SignatureException if the signature check fails
     * @throws IOException if the certificate is unparsable.
     */
    public Identity(Reader r) throws 
        CertificateException, NoSuchAlgorithmException,InvalidKeyException,
        NoSuchProviderException, SignatureException, IOException {
            kp = null;
            init(r);
        }

    /**
     * Construct from an InputStream containing a self-signed PEM certificate.
     * @param s the InputStream containing the certificate
     * @throws CertificateException if the certificate is badly formatted
     * @throws InvalidKeyException if none of the Identities can validate the
     *                              certificate
     * @throws NoSuchAlgorithmException if the credential uses an unknown
     *                              signature algorithm
     * @throws NoSuchProviderException if the provider of the signature
     *                              algorithm is unavailable
     * @throws SignatureException if the signature check fails
     * @throws IOException if the certificate is unparsable.
     */
    public Identity(InputStream s) throws 
        CertificateException, NoSuchAlgorithmException,InvalidKeyException,
        NoSuchProviderException, SignatureException, IOException { 
            kp = null;
            init(new InputStreamReader(s));
        }

    /**
     * Construct from an X509Certificate
     * @param cert an X509Certificate to init from
     * @throws CertificateException if the certificate is badly formatted
     * @throws InvalidKeyException if none of the Identities can validate the
     *                              certificate
     * @throws NoSuchAlgorithmException if the credential uses an unknown
     *                              signature algorithm
     * @throws NoSuchProviderException if the provider of the signature
     *                              algorithm is unavailable
     * @throws SignatureException if the signature check fails
     * @throws IOException if the certificate is unparsable.
     */
    public Identity(X509Certificate cert) throws 
        CertificateException, NoSuchAlgorithmException,InvalidKeyException,
        NoSuchProviderException, SignatureException, FileNotFoundException,
        IOException { 
            kp = null;
            init(cert);
        }

    /**
     * Write the PEM key to the given writer.
     * @param w the Writer
     * @return true if the Identity had a keypair and wrote the key
     * @throws IOException if writing fails
     */
    public boolean writePrivateKey(Writer w) throws IOException {
        if (kp != null ) {
            PEMWriter pw = new PEMWriter(w);

            pw.writeObject(kp.getPrivate());
            pw.flush();
            return true;
        }
        else return false;
    }

    /**
     * Write the PEM key to a file with the given name.
     */
    public boolean writePrivateKey(String fn) 
            throws IOException, FileNotFoundException {
        return writePrivateKey(new FileWriter(fn));
    }

    /**
     * Write the PEM key to the given file.
     * @param fn a String with the output file name
     * @return true if the Identity had a keypair and wrote the key
     * @throws IOException if writing fails
     */
    public boolean writePrivateKey(File fn) 
            throws IOException, FileNotFoundException {
        return writePrivateKey(new FileWriter(fn));
    }

    /**
     * Write the PEM key to the given OutputStream.
     * @param s an OutputStream to write on
     * @return true if the Identity had a keypair and wrote the key
     * @throws IOException if writing fails
     */
    public boolean writePrivateKey(OutputStream s) 
            throws IOException, FileNotFoundException {
        return writePrivateKey(new OutputStreamWriter(s));
    }


    /**
     * Write the PEM cert to the given writer.
     * @param w a Writer to write on
     * @throws IOException if writing fails
     */
    public void write(Writer w) throws IOException {
        PEMWriter pw = new PEMWriter(w);

        pw.writeObject(cert);
        pw.flush();
    }

    /**
     * Write the PEM cert to a file with the given name.
     */
    public void write(String fn) throws IOException, FileNotFoundException {
        write(new FileWriter(fn));
    }

    /**
     * Write the PEM cert to the given file.
     * @param fn a String with the output file name
     * @throws IOException if writing fails
     */
    public void write(File fn) throws IOException, FileNotFoundException {
        write(new FileWriter(fn));
    }

    /**
     * Write the PEM cert to the given OutputStream.
     * @param s an OutputStream to write on
     * @throws IOException if writing fails
     */
    public void write(OutputStream s) 
        throws IOException, FileNotFoundException {
        write(new OutputStreamWriter(s));
    }


    /**
     * Return the Identity's KeyID
     * @return the Identity's KeyID
     */
    public String getKeyID() { return keyid; }
    /**
     * Return the Identity's mnemonic name
     * @return the Identity's mnemonic name
     */
    public String getName() { return cn; }
    /**
     * Return the Identity's X509 Certificate
     * @return the Identity's X509 Certificate
     */
    public X509Certificate getCertificate() { return cert; }

    /**
     * Return the expiration time of the Identity
     * @return a Date the expiration time of the Identity
     */
    public Date getExpiration(){ return expiration; }

    /**
     * Return a simple string rep of the Identity.
     * @return a simple string rep of the Identity.
     */
    public String toString() { 
        String s = keyid + " (" + cn ;

        if (keyid != null ) s += " [keyed]";
        s += ")";
        return s;
    }
    /**
     * Associate a keypair with this Identity.  If the ID has a certificate,
     * make sure that the keypair matches it.  If not throw an
     * IllegalArgumentException.
     * @param k the KeyPair to connect
     * @throws IllegalArgumentException if the keypair does not 
     *                              match the pubkey in the X509 certificate
     */
    public void setKeyPair(KeyPair k) {
        if (keyid != null) {
            String kid = Context.extractKeyID(k.getPublic());

            if ( kid != null && kid.equals(keyid)) kp = k;
            else 
                throw new IllegalArgumentException(
                        "Keypair does not match certificate");
        }
        else kp = k;
    }

    /**
     * Return the keypair associated with this Identity (if any)
     * @return the keypair associated with this Identity (if any)
     */
    public KeyPair getKeyPair() { return kp; }

    /**
     * Return true if the two identites refer to teh same key.  Two Identities
     * are equal if their key ID's match.
     * @return true if the two key ID's are equal.
     */
    public boolean equals(Object o) { 
        if ( o == null ) return false;
        else if ( ! (o instanceof Identity) ) return false;
        else return getKeyID().equals(((Identity)o).getKeyID());
    }
    /**
     * Order 2 identities for sorting.  They are ordered by their key ID's.
     * @param o an Object to compare
     * @return -1 if this Identity is before, 0 if they are the same, and 1
     *              if this Identity is after the given object.
     */
    public int compareTo(Object o) { 
        if ( ! (o instanceof Identity) ) return 1;
        else return getKeyID().compareTo(((Identity)o).getKeyID());
    }

};