Context Navigation

source: java/net/deterlab/abac/Identity.java @ fbdd2d1

abac0-leakabac0-meitvf-new-xml

Last change on this file since fbdd2d1 was fbdd2d1, checked in by Ted Faber <faber@…>, 11 years ago
Remove the not-self-signed exception
Property mode set to `100644`
File size: 13.4 KB

Rev	Line
[9725efb]	1	package net.deterlab.abac;
	2
	3	import java.io.*;
	4
	5	import java.util.*;
	6	import java.security.*;
	7	import java.security.cert.*;
[3a52bed]	8	import javax.security.auth.x500.*;
[9725efb]	9
[3a52bed]	10	import java.math.BigInteger;
[9725efb]	11
	12	import org.bouncycastle.asn1.*;
	13	import org.bouncycastle.asn1.util.*;
	14	import org.bouncycastle.asn1.x509.*;
	15	import org.bouncycastle.x509.*;
[238717d]	16	import org.bouncycastle.openssl.*;
	17
[9725efb]	18
[e36ea1d]	19	/**
	20	* An ABAC identity. An X509 Certificate-encoded public key. The key
	21	* identifier is used as the name of the Identity. This whole class is
	22	* something of a jabac extension.
	23	* @author <a href="http://abac.deterlab.net">ISI ABAC team</a>
[4560b65]	24	* @version 1.4
[e36ea1d]	25	*/
[5cf72cc]	26	public class Identity implements Comparable {
[3f928b0]	27	/** Default validity period (in seconds) */
	28	static public long defaultValidity = 3600L * 24L * 365L;
[e36ea1d]	29	/** The underlying X509 certificate. */
	30	protected X509Certificate cert;
	31	/** The public key id used as this principal's name */
	32	protected String keyid;
	33	/** The common name in the certificate, used as a mnemonic */
	34	protected String cn;
	35	/** The keypair, if any, used to sign for this Identity */
	36	protected KeyPair kp;
[3f928b0]	37	/** The expiration for this Identity */
	38	protected Date expiration;
[9725efb]	39
[238717d]	40	/** Make sure BouncyCastle is loaded */
	41	static { Context.loadBouncyCastle(); }
	42
[1a7e6d3]	43	/**
[e36ea1d]	44	* Initialize from PEM cert in a reader. Use a PEMReader to get
	45	* the certificate, and call init(cert) on it.
	46	* @param r a Reader containing the certificate
[7ebf16d]	47	* @throws CertInvalidException if the stream is unparsable
	48	* @throws MissingIssuerException if none of the Identities can validate the
[e36ea1d]	49	* certificate
[7ebf16d]	50	* @throws BadSignatureException if the signature check fails
	51	* @throws ABACException if an uncategorized error occurs
[1a7e6d3]	52	*/
[7ebf16d]	53	protected void init(Reader r) throws ABACException {
[42ca4b8]	54	PEMReader pr = new PEMReader(r);
	55	Object c = null;
	56
[7ebf16d]	57	try {
	58	while ( ( c= pr.readObject()) != null ){
	59
	60	if (c instanceof X509Certificate) {
	61	if ( cn == null )
	62	init((X509Certificate)c);
	63	else
	64	throw new CertInvalidException("Two certs in one");
	65	}
	66	else if (c instanceof KeyPair) setKeyPair((KeyPair)c);
	67	else
	68	throw new CertInvalidException(
	69	"Not an identity certificate");
[42ca4b8]	70	}
[7ebf16d]	71	}
	72	catch (IOException e) {
	73	throw new CertInvalidException(e.getMessage(), e);
[42ca4b8]	74	}
[f31432f]	75	// If there's nothing for the PEM reader to parse, the cert is invalid.
	76	if (cn == null)
[7ebf16d]	77	throw new CertInvalidException("Not an identity certificate");
[8a14e37]	78	}
	79
	80	/**
[e36ea1d]	81	* Initialize internals from cert. Confirm it is self signed, and then
	82	* the keyid and common name. There's some work to get this stuff, but
	83	* it's all an incantation of getting the right classes to get the right
	84	* data. Looks more complex than it is.
	85	* @param c an X509Certificate to init from
[7ebf16d]	86	* @throws CertInvalidException if the stream is unparsable
	87	* @throws MissingIssuerException if none of the Identities can validate the
[e36ea1d]	88	* certificate
[7ebf16d]	89	* @throws BadSignatureException if the signature check fails
	90	* @throws ABACException if an uncategorized error occurs
[8a14e37]	91	*/
[7ebf16d]	92	protected void init(X509Certificate c) throws ABACException {
	93	cert = (X509Certificate) c;
	94	try {
[0595372]	95	cert.verify(cert.getPublicKey());
[7ebf16d]	96	}
	97	catch (SignatureException e) {
[fbdd2d1]	98	// XXX: the cert is not signed by the key we provided. Right now
	99	// we check each cert as if it were self-signed. Other signing
	100	// strategies are allowed here by default. We expect outside
	101	// sources to validate ID certs if they expect different chains of
[7ebf16d]	102	}
	103	catch (CertificateException e) {
	104	throw new CertInvalidException(e.getMessage(), e);
	105	}
[4bd50f4]	106	catch (InvalidKeyException e) {
	107	// XXX: the cert is not signed by the key we provided. Right now
	108	// we check each cert as if it were self-signed. Other signing
	109	// strategies are allowed here by default. We expect outside
	110	// sources to validate ID certs if they expect different chains of
	111	// trust.
	112	}
[7ebf16d]	113	catch (GeneralSecurityException e) {
	114	throw new ABACException(e.getMessage(), e);
	115	}
	116	// Cert is valid, fill in the CN and keyid
	117	keyid = Context.extractKeyID(cert.getPublicKey());
	118	cn = cert.getSubjectDN().getName();
	119	expiration = cert.getNotAfter();
	120	/// XXX: better parse
	121	if (cn.startsWith("CN=")) cn = cn.substring(3);
[9725efb]	122	}
	123
[1a7e6d3]	124	/**
[e36ea1d]	125	* Construct from a string, used as a CN. Keys are generated.
	126	* @param cn a String containing the menomnic name
[3f928b0]	127	* @param validity a long containing the validity period (in seconds)
[7ebf16d]	128	* @throws CertInvalidException if the stream is unparsable
	129	* @throws MissingIssuerException if none of the Identities can validate the
[e36ea1d]	130	* certificate
[7ebf16d]	131	* @throws BadSignatureException if the signature check fails
	132	* @throws ABACException if an uncategorized error occurs
[1a7e6d3]	133	*/
[7ebf16d]	134	public Identity(String cn, long validity) throws ABACException {
[3a52bed]	135	X509V1CertificateGenerator gen = new X509V1CertificateGenerator();
[7ebf16d]	136	try {
	137	kp = KeyPairGenerator.getInstance("RSA").genKeyPair();
	138	}
	139	catch (NoSuchAlgorithmException e) {
	140	throw new ABACException(e.getMessage(), e);
	141	}
	142	X509Certificate a = null;
[3a52bed]	143
	144	gen.setIssuerDN(new X500Principal("CN=" + cn));
	145	gen.setSubjectDN(new X500Principal("CN=" + cn));
[3f928b0]	146	gen.setNotAfter(new Date(System.currentTimeMillis() +
	147	1000L * validity));
[3a52bed]	148	gen.setNotBefore(new Date(System.currentTimeMillis()));
	149	gen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis()));
	150	gen.setPublicKey(kp.getPublic());
	151	gen.setSignatureAlgorithm("SHA256WithRSAEncryption");
[7ebf16d]	152	try {
	153	a = (X509Certificate) gen.generate(kp.getPrivate(), "BC");
	154	}
	155	catch (CertificateEncodingException e) {
	156	throw new CertInvalidException(e.getMessage(), e);
	157	}
	158	catch (GeneralSecurityException e) {
	159	throw new ABACException(e.getMessage(), e);
	160	}
	161
[3a52bed]	162	init(a);
	163	}
	164
[3f928b0]	165	/**
	166	* Construct from a string, used as a CN. Keys are generated.
	167	* @param cn a String containing the menomnic name
[7ebf16d]	168	* @throws CertInvalidException if the stream is unparsable
	169	* @throws MissingIssuerException if none of the Identities can validate the
[3f928b0]	170	* certificate
[7ebf16d]	171	* @throws BadSignatureException if the signature check fails
	172	* @throws ABACException if an uncategorized error occurs
[3f928b0]	173	*/
[7ebf16d]	174	public Identity(String cn) throws ABACException {
[3f928b0]	175	this(cn, defaultValidity);
	176	}
[9725efb]	177
[1a7e6d3]	178	/**
[a7f73b5]	179	* Construct from a file containing a self-signed PEM certificate.
[e36ea1d]	180	* @param file the File to read
[7ebf16d]	181	* @throws CertInvalidException if the stream is unparsable
	182	* @throws MissingIssuerException if none of the Identities can validate the
[e36ea1d]	183	* certificate
[7ebf16d]	184	* @throws BadSignatureException if the signature check fails
	185	* @throws ABACException if an uncategorized error occurs
	186	* @throws FileNotFoundException if the file is invalid
[1a7e6d3]	187	*/
[7ebf16d]	188	public Identity(File file) throws ABACException, FileNotFoundException {
	189	kp = null;
	190	init(new FileReader(file));
	191	}
[1a7e6d3]	192
	193	/**
[e36ea1d]	194	* Construct from a reader containing a self-signed PEM certificate.
	195	* @param r the Reader containing the certificate
[7ebf16d]	196	* @throws CertInvalidException if the stream is unparsable
	197	* @throws MissingIssuerException if none of the Identities can validate the
[e36ea1d]	198	* certificate
[7ebf16d]	199	* @throws BadSignatureException if the signature check fails
	200	* @throws ABACException if an uncategorized error occurs
[1a7e6d3]	201	*/
[7ebf16d]	202	public Identity(Reader r) throws ABACException {
	203	kp = null;
	204	init(r);
	205	}
[1a7e6d3]	206
	207	/**
[e36ea1d]	208	* Construct from an InputStream containing a self-signed PEM certificate.
	209	* @param s the InputStream containing the certificate
[7ebf16d]	210	* @throws CertInvalidException if the stream is unparsable
	211	* @throws MissingIssuerException if none of the Identities can validate the
[e36ea1d]	212	* certificate
[7ebf16d]	213	* @throws BadSignatureException if the signature check fails
	214	* @throws ABACException if an uncategorized error occurs
[1a7e6d3]	215	*/
[7ebf16d]	216	public Identity(InputStream s) throws ABACException {
	217	kp = null;
	218	init(new InputStreamReader(s));
	219	}
[1a7e6d3]	220
[8a14e37]	221	/**
[e36ea1d]	222	* Construct from an X509Certificate
	223	* @param cert an X509Certificate to init from
[7ebf16d]	224	* @throws CertInvalidException if the stream is unparsable
	225	* @throws MissingIssuerException if none of the Identities can validate the
[e36ea1d]	226	* certificate
[7ebf16d]	227	* @throws BadSignatureException if the signature check fails
	228	* @throws ABACException if an uncategorized error occurs
[8a14e37]	229	*/
[4feb5be]	230	public Identity(X509Certificate cert) throws ABACException {
[7ebf16d]	231	kp = null;
	232	init(cert);
	233	}
[8a14e37]	234
[8a93b41]	235	/**
	236	* Write the PEM key to the given writer.
[e36ea1d]	237	* @param w the Writer
	238	* @return true if the Identity had a keypair and wrote the key
	239	* @throws IOException if writing fails
[8a93b41]	240	*/
	241	public boolean writePrivateKey(Writer w) throws IOException {
	242	if (kp != null ) {
	243	PEMWriter pw = new PEMWriter(w);
	244
	245	pw.writeObject(kp.getPrivate());
	246	pw.flush();
	247	return true;
	248	}
	249	else return false;
	250	}
	251
	252	/**
	253	* Write the PEM key to a file with the given name.
	254	*/
	255	public boolean writePrivateKey(String fn)
	256	throws IOException, FileNotFoundException {
	257	return writePrivateKey(new FileWriter(fn));
	258	}
	259
	260	/**
	261	* Write the PEM key to the given file.
[e36ea1d]	262	* @param fn a String with the output file name
	263	* @return true if the Identity had a keypair and wrote the key
	264	* @throws IOException if writing fails
[8a93b41]	265	*/
	266	public boolean writePrivateKey(File fn)
	267	throws IOException, FileNotFoundException {
	268	return writePrivateKey(new FileWriter(fn));
	269	}
	270
	271	/**
	272	* Write the PEM key to the given OutputStream.
[e36ea1d]	273	* @param s an OutputStream to write on
	274	* @return true if the Identity had a keypair and wrote the key
	275	* @throws IOException if writing fails
[8a93b41]	276	*/
	277	public boolean writePrivateKey(OutputStream s)
	278	throws IOException, FileNotFoundException {
	279	return writePrivateKey(new OutputStreamWriter(s));
	280	}
	281
[1a7e6d3]	282
	283	/**
	284	* Write the PEM cert to the given writer.
[e36ea1d]	285	* @param w a Writer to write on
	286	* @throws IOException if writing fails
[1a7e6d3]	287	*/
	288	public void write(Writer w) throws IOException {
	289	PEMWriter pw = new PEMWriter(w);
	290
[0595372]	291	pw.writeObject(cert);
[5cf72cc]	292	pw.flush();
[1a7e6d3]	293	}
	294
	295	/**
	296	* Write the PEM cert to a file with the given name.
	297	*/
	298	public void write(String fn) throws IOException, FileNotFoundException {
	299	write(new FileWriter(fn));
	300	}
	301
	302	/**
	303	* Write the PEM cert to the given file.
[e36ea1d]	304	* @param fn a String with the output file name
	305	* @throws IOException if writing fails
[1a7e6d3]	306	*/
	307	public void write(File fn) throws IOException, FileNotFoundException {
	308	write(new FileWriter(fn));
	309	}
	310
	311	/**
	312	* Write the PEM cert to the given OutputStream.
[e36ea1d]	313	* @param s an OutputStream to write on
	314	* @throws IOException if writing fails
[1a7e6d3]	315	*/
	316	public void write(OutputStream s)
	317	throws IOException, FileNotFoundException {
	318	write(new OutputStreamWriter(s));
	319	}
[9725efb]	320
[e9360e2]	321
[e36ea1d]	322	/**
	323	* Return the Identity's KeyID
	324	* @return the Identity's KeyID
	325	*/
[0595372]	326	public String getKeyID() { return keyid; }
[e36ea1d]	327	/**
	328	* Return the Identity's mnemonic name
	329	* @return the Identity's mnemonic name
	330	*/
[0595372]	331	public String getName() { return cn; }
[e36ea1d]	332	/**
	333	* Return the Identity's X509 Certificate
	334	* @return the Identity's X509 Certificate
	335	*/
	336	public X509Certificate getCertificate() { return cert; }
[3f928b0]	337
	338	/**
	339	* Return the expiration time of the Identity
	340	* @return a Date the expiration time of the Identity
	341	*/
	342	public Date getExpiration(){ return expiration; }
	343
[e36ea1d]	344	/**
	345	* Return a simple string rep of the Identity.
	346	* @return a simple string rep of the Identity.
	347	*/
[42ca4b8]	348	public String toString() {
[0595372]	349	String s = keyid + " (" + cn ;
[42ca4b8]	350
[ac131a1]	351	if (getKeyPair() != null ) s += " [keyed]";
[42ca4b8]	352	s += ")";
	353	return s;
	354	}
	355	/**
	356	* Associate a keypair with this Identity. If the ID has a certificate,
	357	* make sure that the keypair matches it. If not throw an
	358	* IllegalArgumentException.
[e36ea1d]	359	* @param k the KeyPair to connect
	360	* @throws IllegalArgumentException if the keypair does not
	361	* match the pubkey in the X509 certificate
[42ca4b8]	362	*/
	363	public void setKeyPair(KeyPair k) {
[0595372]	364	if (keyid != null) {
	365	String kid = Context.extractKeyID(k.getPublic());
[42ca4b8]	366
[0595372]	367	if ( kid != null && kid.equals(keyid)) kp = k;
[42ca4b8]	368	else
	369	throw new IllegalArgumentException(
	370	"Keypair does not match certificate");
	371	}
	372	else kp = k;
	373	}
[e36ea1d]	374
	375	/**
	376	* Return the keypair associated with this Identity (if any)
	377	* @return the keypair associated with this Identity (if any)
	378	*/
[42ca4b8]	379	public KeyPair getKeyPair() { return kp; }
[e36ea1d]	380
	381	/**
[a7f73b5]	382	* Return true if the two identites refer to teh same key. Two Identities
	383	* are equal if their key ID's match.
[e36ea1d]	384	* @return true if the two key ID's are equal.
	385	*/
[5cf72cc]	386	public boolean equals(Object o) {
	387	if ( o == null ) return false;
	388	else if ( ! (o instanceof Identity) ) return false;
	389	else return getKeyID().equals(((Identity)o).getKeyID());
	390	}
[0100d7b]	391
	392	/**
	393	* Return a hash code for the Identity - the hash of its KeyID()
	394	* @return an int, the hashCode
	395	*/
	396	public int hashCode() {
	397	if (keyid == null) return super.hashCode();
	398	return keyid.hashCode();
	399	}
	400
	401
[e36ea1d]	402	/**
[a7f73b5]	403	* Order 2 identities for sorting. They are ordered by their key ID's.
[e36ea1d]	404	* @param o an Object to compare
	405	* @return -1 if this Identity is before, 0 if they are the same, and 1
	406	* if this Identity is after the given object.
	407	*/
[5cf72cc]	408	public int compareTo(Object o) {
	409	if ( ! (o instanceof Identity) ) return 1;
	410	else return getKeyID().compareTo(((Identity)o).getKeyID());
	411	}
[1a7e6d3]	412
[9725efb]	413	};

Note: See TracBrowser for help on using the repository browser.

Download in other formats: