Context Navigation

source: java/net/deterlab/abac/Identity.java @ f31432f

abac0-leakabac0-meicompt_changesgec13mei-idmei-rt0-nmei_rt0tvf-new-xml

Last change on this file since f31432f was f31432f, checked in by Ted Faber <faber@…>, 13 years ago
DER files were returning emptyish (and confusing Identities)
Property mode set to `100644`
File size: 13.3 KB

Line
1	package net.deterlab.abac;
2
3	import java.io.*;
4
5	import java.util.*;
6	import java.security.*;
7	import java.security.cert.*;
8	import javax.security.auth.x500.*;
9
10	import java.math.BigInteger;
11
12	import org.bouncycastle.asn1.*;
13	import org.bouncycastle.asn1.util.*;
14	import org.bouncycastle.asn1.x509.*;
15	import org.bouncycastle.x509.*;
16	import org.bouncycastle.openssl.*;
17
18
19	/**
20	* An ABAC identity. An X509 Certificate-encoded public key. The key
21	* identifier is used as the name of the Identity. This whole class is
22	* something of a jabac extension.
23	* @author <a href="http://abac.deterlab.net">ISI ABAC team</a>
24	* @version 1.3
25	*/
26	public class Identity implements Comparable {
27	/** The underlying X509 certificate. */
28	protected X509Certificate cert;
29	/** The public key id used as this principal's name */
30	protected String keyid;
31	/** The common name in the certificate, used as a mnemonic */
32	protected String cn;
33	/** The keypair, if any, used to sign for this Identity */
34	protected KeyPair kp;
35
36	/** Make sure BouncyCastle is loaded */
37	static { Context.loadBouncyCastle(); }
38
39	/**
40	* Initialize from PEM cert in a reader. Use a PEMReader to get
41	* the certificate, and call init(cert) on it.
42	* @param r a Reader containing the certificate
43	* @throws CertificateException if the certificate is badly formatted
44	* @throws InvalidKeyException if none of the Identities can validate the
45	* certificate
46	* @throws NoSuchAlgorithmException if the credential uses an unknown
47	* signature algorithm
48	* @throws NoSuchProviderException if the provider of the signature
49	* algorithm is unavailable
50	* @throws SignatureException if the signature check fails
51	* @throws IOException if the certificate is unparsable.
52	*/
53	protected void init(Reader r) throws
54	CertificateException, NoSuchAlgorithmException,InvalidKeyException,
55	NoSuchProviderException, SignatureException, IOException {
56	PEMReader pr = new PEMReader(r);
57	Object c = null;
58
59	while ( ( c= pr.readObject()) != null ){
60
61	if (c instanceof X509Certificate) {
62	if ( cn == null )
63	init((X509Certificate)c);
64	else
65	throw new CertificateException("Two certs in one file");
66	}
67	else if (c instanceof KeyPair) setKeyPair((KeyPair)c);
68	else
69	throw new CertificateException(
70	"Not an identity certificate");
71	}
72	// If there's nothing for the PEM reader to parse, the cert is invalid.
73	if (cn == null)
74	throw new CertificateException(
75	"Not an identity certificate");
76	}
77
78	/**
79	* Initialize internals from cert. Confirm it is self signed, and then
80	* the keyid and common name. There's some work to get this stuff, but
81	* it's all an incantation of getting the right classes to get the right
82	* data. Looks more complex than it is.
83	* @param c an X509Certificate to init from
84	* @throws CertificateException if the certificate is badly formatted
85	* @throws InvalidKeyException if none of the Identities can validate the
86	* certificate
87	* @throws NoSuchAlgorithmException if the credential uses an unknown
88	* signature algorithm
89	* @throws NoSuchProviderException if the provider of the signature
90	* algorithm is unavailable
91	* @throws SignatureException if the signature check fails
92	* @throws IOException if the certificate is unparsable.
93	*/
94	protected void init(X509Certificate c) throws
95	CertificateException, NoSuchAlgorithmException,InvalidKeyException,
96	NoSuchProviderException, SignatureException, IOException {
97	cert = (X509Certificate) c;
98	cert.verify(cert.getPublicKey());
99	// Cert is valid, fill in the CN and keyid
100	keyid = Context.extractKeyID(cert.getPublicKey());
101	cn = cert.getSubjectDN().getName();
102	/// XXX: better parse
103	if (cn.startsWith("CN=")) cn = cn.substring(3);
104	}
105
106	/**
107	* Construct from a string, used as a CN. Keys are generated.
108	* @param cn a String containing the menomnic name
109	* @throws IOException reading or writing problems
110	* @throws CertificateEncodingException Problem creating certificate
111	* @throws InvalidKeyException if none of the Identities can sign the
112	* certificate
113	* @throws NoSuchAlgorithmException if the credential uses an unknown
114	* signature algorithm
115	* @throws NoSuchProviderException if the provider of the signature
116	* algorithm is unavailable
117	* @throws SignatureException if the signature creation fails
118	*/
119	public Identity(String cn) throws
120	CertificateException, NoSuchAlgorithmException,InvalidKeyException,
121	NoSuchProviderException, SignatureException, IOException {
122	X509V1CertificateGenerator gen = new X509V1CertificateGenerator();
123	kp = KeyPairGenerator.getInstance("RSA").genKeyPair();
124
125	gen.setIssuerDN(new X500Principal("CN=" + cn));
126	gen.setSubjectDN(new X500Principal("CN=" + cn));
127	gen.setNotAfter(new Date(System.currentTimeMillis()
128	+ 3600 * 1000 * 24 * 365));
129	gen.setNotBefore(new Date(System.currentTimeMillis()));
130	gen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis()));
131	gen.setPublicKey(kp.getPublic());
132	gen.setSignatureAlgorithm("SHA256WithRSAEncryption");
133	X509Certificate a = (X509Certificate) gen.generate(kp.getPrivate(), "BC");
134	init(a);
135	}
136
137
138
139	/**
140	* Construct from a file, containing a self-signed PEM certificate.
141	* @param file the File to read
142	* @throws CertificateException if the certificate is badly formatted
143	* @throws InvalidKeyException if none of the Identities can validate the
144	* certificate
145	* @throws NoSuchAlgorithmException if the credential uses an unknown
146	* signature algorithm
147	* @throws NoSuchProviderException if the provider of the signature
148	* algorithm is unavailable
149	* @throws SignatureException if the signature check fails
150	* @throws IOException if the certificate is unparsable.
151	*/
152	public Identity(File file) throws
153	CertificateException, NoSuchAlgorithmException,InvalidKeyException,
154	NoSuchProviderException, SignatureException, FileNotFoundException,
155	IOException {
156	kp = null;
157	init(new FileReader(file));
158	}
159
160	/**
161	* Construct from a reader containing a self-signed PEM certificate.
162	* @param r the Reader containing the certificate
163	* @throws CertificateException if the certificate is badly formatted
164	* @throws InvalidKeyException if none of the Identities can validate the
165	* certificate
166	* @throws NoSuchAlgorithmException if the credential uses an unknown
167	* signature algorithm
168	* @throws NoSuchProviderException if the provider of the signature
169	* algorithm is unavailable
170	* @throws SignatureException if the signature check fails
171	* @throws IOException if the certificate is unparsable.
172	*/
173	public Identity(Reader r) throws
174	CertificateException, NoSuchAlgorithmException,InvalidKeyException,
175	NoSuchProviderException, SignatureException, IOException {
176	kp = null;
177	init(r);
178	}
179
180	/**
181	* Construct from an InputStream containing a self-signed PEM certificate.
182	* @param s the InputStream containing the certificate
183	* @throws CertificateException if the certificate is badly formatted
184	* @throws InvalidKeyException if none of the Identities can validate the
185	* certificate
186	* @throws NoSuchAlgorithmException if the credential uses an unknown
187	* signature algorithm
188	* @throws NoSuchProviderException if the provider of the signature
189	* algorithm is unavailable
190	* @throws SignatureException if the signature check fails
191	* @throws IOException if the certificate is unparsable.
192	*/
193	public Identity(InputStream s) throws
194	CertificateException, NoSuchAlgorithmException,InvalidKeyException,
195	NoSuchProviderException, SignatureException, IOException {
196	kp = null;
197	init(new InputStreamReader(s));
198	}
199
200	/**
201	* Construct from an X509Certificate
202	* @param cert an X509Certificate to init from
203	* @throws CertificateException if the certificate is badly formatted
204	* @throws InvalidKeyException if none of the Identities can validate the
205	* certificate
206	* @throws NoSuchAlgorithmException if the credential uses an unknown
207	* signature algorithm
208	* @throws NoSuchProviderException if the provider of the signature
209	* algorithm is unavailable
210	* @throws SignatureException if the signature check fails
211	* @throws IOException if the certificate is unparsable.
212	*/
213	public Identity(X509Certificate cert) throws
214	CertificateException, NoSuchAlgorithmException,InvalidKeyException,
215	NoSuchProviderException, SignatureException, FileNotFoundException,
216	IOException {
217	kp = null;
218	init(cert);
219	}
220
221	/**
222	* Write the PEM key to the given writer.
223	* @param w the Writer
224	* @return true if the Identity had a keypair and wrote the key
225	* @throws IOException if writing fails
226	*/
227	public boolean writePrivateKey(Writer w) throws IOException {
228	if (kp != null ) {
229	PEMWriter pw = new PEMWriter(w);
230
231	pw.writeObject(kp.getPrivate());
232	pw.flush();
233	return true;
234	}
235	else return false;
236	}
237
238	/**
239	* Write the PEM key to a file with the given name.
240	*/
241	public boolean writePrivateKey(String fn)
242	throws IOException, FileNotFoundException {
243	return writePrivateKey(new FileWriter(fn));
244	}
245
246	/**
247	* Write the PEM key to the given file.
248	* @param fn a String with the output file name
249	* @return true if the Identity had a keypair and wrote the key
250	* @throws IOException if writing fails
251	*/
252	public boolean writePrivateKey(File fn)
253	throws IOException, FileNotFoundException {
254	return writePrivateKey(new FileWriter(fn));
255	}
256
257	/**
258	* Write the PEM key to the given OutputStream.
259	* @param s an OutputStream to write on
260	* @return true if the Identity had a keypair and wrote the key
261	* @throws IOException if writing fails
262	*/
263	public boolean writePrivateKey(OutputStream s)
264	throws IOException, FileNotFoundException {
265	return writePrivateKey(new OutputStreamWriter(s));
266	}
267
268
269	/**
270	* Write the PEM cert to the given writer.
271	* @param w a Writer to write on
272	* @throws IOException if writing fails
273	*/
274	public void write(Writer w) throws IOException {
275	PEMWriter pw = new PEMWriter(w);
276
277	pw.writeObject(cert);
278	pw.flush();
279	}
280
281	/**
282	* Write the PEM cert to a file with the given name.
283	*/
284	public void write(String fn) throws IOException, FileNotFoundException {
285	write(new FileWriter(fn));
286	}
287
288	/**
289	* Write the PEM cert to the given file.
290	* @param fn a String with the output file name
291	* @throws IOException if writing fails
292	*/
293	public void write(File fn) throws IOException, FileNotFoundException {
294	write(new FileWriter(fn));
295	}
296
297	/**
298	* Write the PEM cert to the given OutputStream.
299	* @param s an OutputStream to write on
300	* @throws IOException if writing fails
301	*/
302	public void write(OutputStream s)
303	throws IOException, FileNotFoundException {
304	write(new OutputStreamWriter(s));
305	}
306
307
308	/**
309	* Return the Identity's KeyID
310	* @return the Identity's KeyID
311	*/
312	public String getKeyID() { return keyid; }
313	/**
314	* Return the Identity's mnemonic name
315	* @return the Identity's mnemonic name
316	*/
317	public String getName() { return cn; }
318	/**
319	* Return the Identity's X509 Certificate
320	* @return the Identity's X509 Certificate
321	*/
322	public X509Certificate getCertificate() { return cert; }
323	/**
324	* Return a simple string rep of the Identity.
325	* @return a simple string rep of the Identity.
326	*/
327	public String toString() {
328	String s = keyid + " (" + cn ;
329
330	if (keyid != null ) s += " [keyed]";
331	s += ")";
332	return s;
333	}
334	/**
335	* Associate a keypair with this Identity. If the ID has a certificate,
336	* make sure that the keypair matches it. If not throw an
337	* IllegalArgumentException.
338	* @param k the KeyPair to connect
339	* @throws IllegalArgumentException if the keypair does not
340	* match the pubkey in the X509 certificate
341	*/
342	public void setKeyPair(KeyPair k) {
343	if (keyid != null) {
344	String kid = Context.extractKeyID(k.getPublic());
345
346	if ( kid != null && kid.equals(keyid)) kp = k;
347	else
348	throw new IllegalArgumentException(
349	"Keypair does not match certificate");
350	}
351	else kp = k;
352	}
353
354	/**
355	* Return the keypair associated with this Identity (if any)
356	* @return the keypair associated with this Identity (if any)
357	*/
358	public KeyPair getKeyPair() { return kp; }
359
360	/**
361	* Equality test. Two Identities are equal if their key ID's match.
362	* @return true if the two key ID's are equal.
363	*/
364	public boolean equals(Object o) {
365	if ( o == null ) return false;
366	else if ( ! (o instanceof Identity) ) return false;
367	else return getKeyID().equals(((Identity)o).getKeyID());
368	}
369	/**
370	* Allow Identities to be compared. They are ordered by their key ID's.
371	* @param o an Object to compare
372	* @return -1 if this Identity is before, 0 if they are the same, and 1
373	* if this Identity is after the given object.
374	*/
375	public int compareTo(Object o) {
376	if ( ! (o instanceof Identity) ) return 1;
377	else return getKeyID().compareTo(((Identity)o).getKeyID());
378	}
379
380	};

Note: See TracBrowser for help on using the repository browser.

Download in other formats: