Context Navigation

source: java/net/deterlab/abac/X509Credential.java @ 4560b65

abac0-leakabac0-meimei-idmei-rt0-nmei_rt0tvf-new-xml

Last change on this file since 4560b65 was 4560b65, checked in by Ted Faber <faber@…>, 11 years ago
Bump version number
Property mode set to `100644`
File size: 12.0 KB

Line
1	package net.deterlab.abac;
2
3	import java.io.*;
4	import java.math.*;
5
6	import java.util.*;
7	import java.security.*;
8	import java.security.cert.*;
9
10	import javax.security.auth.x500.*;
11
12	import org.bouncycastle.asn1.*;
13	import org.bouncycastle.asn1.x509.*;
14	import org.bouncycastle.x509.*;
15	import org.bouncycastle.x509.util.*;
16	import org.bouncycastle.openssl.*;
17
18	/**
19	* An ABAC credential, with or without an underlying certificate that
20	* represents it. These are edges in proof garphs and can be constructed from
21	* their constituent Roles.
22	* @author <a href="http://abac.deterlab.net">ISI ABAC team</a>
23	* @version 1.4
24	*/
25	public class X509Credential extends Credential implements Comparable {
26	/** The ASN1 OID for an IETF attribute. */
27	protected static String attrOID = "1.3.6.1.5.5.7.10.4";
28	/** The ASN1 OID for AuthorityKeyIdentifier. */
29	protected static String authKeyOID = "2.5.29.35";
30	/** The certificate representing this credential */
31	protected X509V2AttributeCertificate ac;
32
33	/** Make sure BouncyCastle is loaded */
34	static { Context.loadBouncyCastle(); }
35
36	/**
37	* Create an empty Credential.
38	*/
39	public X509Credential() {
40	m_head = m_tail = null;
41	ac = null;
42	id = null;
43	}
44	/**
45	* Create a credential from a head and tail role. This credential has no
46	* underlying certificate, and cannot be exported or used in real proofs.
47	* make_cert can create a certificate for a credential initialized this
48	* way.
49	* @param head the Role at the head of the credential
50	* @param tail the Role at the tail of the credential
51	*/
52	public X509Credential(Role head, Role tail) {
53	m_head = head;
54	m_tail = tail;
55	ac = null;
56	id = null;
57	}
58
59	/**
60	* Do the credential extraction from an input stream. This parses the
61	* certificate from the input stream and saves it. The contents must be
62	* validated and parsed later.
63	* @param stream the InputStream to read the certificate from.
64	* @throws IOException if the stream is unparsable
65	*/
66	protected void read_certificate(InputStream stream)
67	throws IOException {
68	try {
69	ac = new X509V2AttributeCertificate(stream);
70	}
71	catch (Exception e) {
72	throw new IOException(e.getMessage(), e);
73	}
74	}
75
76	/**
77	* Initialize a credential from parsed certificate. Validiate it against
78	* the given identities and parse out the roles. Note that catching
79	* java.security.GeneralSecurityException catches most of the exceptions
80	* this throws.
81	* @param ids a Collection of Identities to use in validating the cert
82	* @throws CertInvalidException if the stream is unparsable
83	* @throws MissingIssuerException if none of the Identities can validate the
84	* certificate
85	* @throws BadSignatureException if the signature check fails
86	*/
87	protected void init(Collection<Identity> ids)
88	throws ABACException {
89	for (Identity i: ids) {
90	try {
91	ac.verify(i.getCertificate().getPublicKey(), "BC");
92	id = i;
93	break;
94	}
95	catch (GeneralSecurityException e) { }
96	}
97	if (id == null) throw new MissingIssuerException("Unknown identity");
98
99	load_roles();
100
101	if (!id.getKeyID().equals(m_head.principal()))
102	throw new MissingIssuerException("Unknown identity");
103	}
104
105	/**
106	* Parse a credential from an InputStream and initialize the role from it.
107	* Combine read_credential(stream) and init(ids). Note that catching
108	* java.security.GeneralSecurityException catches most of the exceptions
109	* this throws.
110	* @param stream the InputStream to read the certificate from.
111	* @param ids a Collection of Identities to use in validating the cert
112	* @throws CertInvalidException if the stream is unparsable
113	* @throws MissingIssuerException if none of the Identities can validate the
114	* certificate
115	* @throws BadSignatureException if the signature check fails
116	*/
117	protected void init(InputStream stream, Collection<Identity> ids)
118	throws ABACException {
119	try {
120	read_certificate(stream);
121	}
122	catch (IOException e) {
123	throw new CertInvalidException(e.getMessage(), e);
124	}
125	if (ac == null) throw new CertInvalidException("Unknown Format");
126	init(ids);
127	}
128
129	/**
130	* Create a credential from an attribute cert in a file. Throws an
131	* exception if the cert file can't be opened or if there's a format
132	* problem with the cert. Note that catching
133	* java.security.GeneralSecurityException catches most of the exceptions
134	* this throws.
135	* @param filename a String containing the filename to read
136	* @param ids a Collection of Identities to use in validating the cert
137	* @throws CertInvalidException if the stream is unparsable
138	* @throws MissingIssuerException if none of the Identities can validate the
139	* certificate
140	* @throws BadSignatureException if the signature check fails
141	*/
142	public X509Credential(String filename, Collection<Identity> ids)
143	throws ABACException {
144	try {
145	init(new FileInputStream(filename), ids);
146	}
147	catch (FileNotFoundException e) {
148	throw new CertInvalidException("Bad filename", e);
149	}
150	}
151
152	/**
153	* Create a credential from an attribute cert in a file. Throws an
154	* exception if the cert file can't be opened or if there's a format
155	* problem with the cert. Note that catching
156	* java.security.GeneralSecurityException catches most of the exceptions
157	* this throws.
158	* @param file the File to read
159	* @param ids a Collection of Identities to use in validating the cert
160	* @throws CertInvalidException if the stream is unparsable
161	* @throws MissingIssuerException if none of the Identities can validate the
162	* certificate
163	* @throws BadSignatureException if the signature check fails
164	*/
165	public X509Credential(File file, Collection<Identity> ids)
166	throws ABACException {
167	try {
168	init(new FileInputStream(file), ids);
169	}
170	catch (FileNotFoundException e) {
171	throw new CertInvalidException("Bad filename", e);
172	}
173	}
174
175	/**
176	* Create a credential from an InputStream. Throws an exception if the
177	* stream can't be parsed or if there's a format problem with the cert.
178	* Note that catching java.security.GeneralSecurityException catches most
179	* of the exceptions this throws.
180	* @param s the InputStream to read
181	* @param ids a Collection of Identities to use in validating the cert
182	* @throws CertInvalidException if the stream is unparsable
183	* @throws MissingIssuerException if none of the Identities can validate the
184	* certificate
185	* @throws BadSignatureException if the signature check fails
186	*/
187	public X509Credential(InputStream s, Collection<Identity> ids)
188	throws ABACException { init(s, ids); }
189
190	/**
191	* Create a credential from an X509V2AttributeCertificate object. Throws
192	* an exception if the certificate doesn't parse into an ABAC credential,
193	* or cannot be validated. Note that catching
194	* java.security.GeneralSecurityException catches most of the exceptions
195	* this throws.
196	* @param c the X509V2AttributeCertificate to create from
197	* @param ids a Collection of Identities to use in validating the cert
198	* @throws CertInvalidException if the stream is unparsable
199	* @throws MissingIssuerException if none of the Identities can validate the
200	* certificate
201	* @throws BadSignatureException if the signature check fails
202	*/
203	public X509Credential(X509V2AttributeCertificate c,
204	Collection<Identity> ids)
205	throws ABACException {
206	ac = c;
207	init(ids);
208	}
209
210
211	/**
212	* Create a certificate from this credential issued by the given identity.
213	* Note that catching java.security.GeneralSecurityException catches most
214	* of the exceptions this throws.
215	* @param i the Identity that will issue the certificate
216	* @throws ABACException if xml creation fails
217	* @throws MissingIssuerException if the issuer is bad
218	* @throws BadSignatureException if the signature creation fails
219	*/
220	public void make_cert(Identity i)
221	throws ABACException {
222	PrivateKey key = i.getKeyPair().getPrivate();
223	SubjectPublicKeyInfo pki = Context.extractSubjectPublicKeyInfo(
224	i.getKeyPair().getPublic());
225	X509V2AttributeCertificateGenerator gen =
226	new X509V2AttributeCertificateGenerator();
227
228	try {
229	gen.setIssuer(new AttributeCertificateIssuer(
230	new X500Principal("CN="+m_head.principal())));
231	gen.setHolder(new AttributeCertificateHolder(
232	new X500Principal("CN="+m_head.principal())));
233	gen.setNotAfter(new Date(System.currentTimeMillis()
234	+ (3600L * 1000L * 24L * 365L)));
235	gen.setNotBefore(new Date(System.currentTimeMillis()));
236	gen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis()));
237	gen.addAttribute(new X509Attribute(attrOID,
238	new DERSequence(
239	new DERSequence(
240	new DERUTF8String(toString())))));
241	gen.setSignatureAlgorithm("SHA256WithRSAEncryption");
242
243	// Creddy expects an authority key identifier.
244	gen.addExtension(authKeyOID, false,
245	new AuthorityKeyIdentifier(pki));
246	ac = (X509V2AttributeCertificate) gen.generate(key, "BC");
247	}
248	catch (Exception e) {
249	throw new ABACException("Cannot encode cert", e);
250	}
251	// Create the cert.
252	id = i;
253	}
254
255	/**
256	* Load the roles off the attribute cert.
257	* @throws CertInvalidException if the certificate is badly formatted
258	*/
259	private void load_roles() throws CertInvalidException {
260	String roles = null;
261	try {
262	X509Attribute attr = ac.getAttributes()[0];
263
264	DERSequence t1 = (DERSequence)attr.getValues()[0];
265	DERSequence t2 = (DERSequence)t1.getObjectAt(0);
266	DERUTF8String t3 = (DERUTF8String)t2.getObjectAt(0);
267
268	roles = t3.getString();
269	}
270	catch (Exception e) {
271	throw new CertInvalidException("Badly formatted certificate");
272	}
273
274	String[] parts = roles.split("\\s<--?\\s");
275	if (parts.length != 2)
276	throw new CertInvalidException("Invalid attribute: " + roles);
277
278	m_head = new Role(parts[0]);
279	m_tail = new Role(parts[1]);
280	}
281
282	/**
283	* Gets the cert associated with this credential (if any).
284	* @return the attribute cert associated with this credential (if any).
285	*/
286	public X509V2AttributeCertificate cert() { return ac; }
287
288	/**
289	* Output the DER formatted attribute certificate associated with this
290	* Credential to the OutputStream.
291	* @param s the OutputStream on which to write
292	* @throws IOException if there is an error writing.
293	*/
294	public void write(OutputStream s) throws IOException {
295	if (ac != null )
296	s.write(ac.getEncoded());
297	s.flush();
298	}
299
300	/**
301	* Output the DER formatted attribute certificate associated with this
302	* Credential to the filename given.
303	* @param fn a String containing the output filename
304	* @throws IOException if there is an error writing.
305	*/
306	public void write(String fn) throws IOException, FileNotFoundException {
307	write(new FileOutputStream(fn));
308	}
309
310	/**
311	* Return true if this Credential has a certificate associated. A jabac
312	* extension.
313	* @return true if this Credential has a certificate associated.
314	*/
315	public boolean hasCertificate() { return ac != null; }
316
317	/**
318	* Return the X509V2AttributeCertificate that underlys the Credential
319	* @return the X509V2AttributeCertificate that underlys the Credential.
320	*/
321	public X509V2AttributeCertificate attributeCert() { return ac; }
322
323	/**
324	* Return a CredentialParser for X509Credentials. Used by the
325	* CredentialFactory to parse these kind of credentials. It is basically a
326	* constuctor call.
327	* @return a CredentialParser for this kind of credential.
328	*/
329	static public CredentialParser getCredentialParser() {
330	return new CredentialParser() {
331	public Credential[] parseCredential(InputStream is,
332	Collection<Identity> ids) throws ABACException {
333	return new Credential[] { new X509Credential(is, ids) };
334	}
335	};
336	}
337
338
339	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: