Changeset e36ea1d


Ignore:
Timestamp:
Mar 25, 2011 6:35:05 PM (8 years ago)
Author:
Ted Faber <faber@…>
Branches:
abac0-leak, abac0-mei, compt_changes, gec13, master, mei-id, mei-rt0-n, mei_rt0, mei_rt2, mei_rt2_fix_1, meiyap-rt1, meiyap1, rt2, tvf-new-xml
Children:
b67a7ac
Parents:
56ec930
Message:

Initial javadocs

Location:
java
Files:
5 edited

Legend:

Unmodified
Added
Removed
  • java/build.xml

    rea3bddc re36ea1d  
    55  <property name="classes.dir" value="${build.dir}/classes"/>
    66  <property name="jar.dir" value="${build.dir}/jar"/>
     7  <property name="doc.dir" value="./doc"/>
    78  <property name="main.class" value="GraphTest"/>
    89  <property name="dump.class" value="Dumper"/>
     
    1011  <target name="clean">
    1112    <delete dir="${build.dir}"/>
     13    <delete dir="${doc.dir}"/>
    1214    <delete>
    1315      <fileset dir="${basedir}" includes="**/*.der"/>
     
    3840  </target>
    3941
     42  <target name="doc" description="Generate API documentation">
     43    <mkdir dir="${doc.dir}"/>
     44    <javadoc sourcepath="${src.dir}" destdir="${doc.dir}"
     45      classpathref="compile.classpath" access="public"
     46      noqualifier="java.lang:java.io:java.util:java.security:java.security.cert"/>
     47  </target>
     48
    4049  <target name="run" depends="compile" description="run visualizer">
    4150    <java classname="${main.class}" fork="true" >
  • java/net/deterlab/abac/Context.java

    r56ec930 re36ea1d  
    11package net.deterlab.abac;
    22
    3 import org.apache.commons.collections15.*;
    4 import org.apache.commons.collections15.functors.*;
    5 
    63import edu.uci.ics.jung.graph.*;
    7 import edu.uci.ics.jung.graph.event.*;
    84import edu.uci.ics.jung.graph.util.*;
    95
    10 import java.awt.geom.Point2D;
    116import java.io.*;
    127import java.util.*;
     
    1813import org.bouncycastle.asn1.x509.*;
    1914import org.bouncycastle.x509.*;
    20 import org.bouncycastle.x509.util.*;
    2115import org.bouncycastle.openssl.*;
    2216
    2317/**
    2418 * Represents a global graph of credentials in the form of principals and
    25  * attributes.
     19 * attributes.  Contains the identities and credentials that can be used in a
     20 * proof.
     21 * @author <a href="http://abac.deterlab.net">ISI ABAC team</a>
     22 * @version 1.3
    2623 */
    2724public class Context {
    28     static final int ABAC_CERT_SUCCESS = 0;
    29     static final int ABAC_CERT_INVALID = -1;
    30     static final int ABAC_CERT_BAD_SIG = -2;
    31     static final int ABAC_CERT_MISSING_ISSUER = -3;
    32 
     25    /** Certificate imported successfully */
     26    public static final int ABAC_CERT_SUCCESS = 0;
     27    /** Certificate import failed, invalid certificate */
     28    public static final int ABAC_CERT_INVALID = -1;
     29    /** Certificate import failed, signature filed */
     30    public static final int ABAC_CERT_BAD_SIG = -2;
     31    /** Certificate import failed, unknown issuer */
     32    public static final int ABAC_CERT_MISSING_ISSUER = -3;
     33
     34    /** Internal graph representation */
    3335    protected Graph<Role,Credential> g;
     36    /** Set of edges in the graph that were added by the logic.  */
    3437    protected Set<Credential> derived_edges;
     38    /** Internal persistent query object */
    3539    protected Query pq;
     40    /** True when the graph has been changed since the last set of implied
     41     * edges were calculated. */
    3642    protected boolean dirty;
     43    /** Set of identities known to this Context. */
    3744    protected Set<Identity> identities;
    3845
     46    /** Translation from issuer CN to issuer pubkey identifier */
    3947    protected Map<String, String> nicknames;
     48    /** Translation from issuer pubkey identifier to issuer CN */
    4049    protected Map<String, String> keys;
    4150
     51    /**
     52     * The result of a query on this context.  The credentials form a partial
     53     * or total proof, and success indicates whether the proof succeeded.
     54     * @author <a href="http://abac.deterlab.net">ISI ABAC team</a>
     55     * @version 1.3
     56     */
    4257    public class QueryResult {
     58        /** Credentials returned */
    4359        protected Collection<Credential> creds;
     60        /** True if the proof succeeded. */
    4461        protected boolean success;
    4562
    46         public QueryResult(Collection<Credential> c, boolean s) {
     63        /**
     64         * Construct a result from components.
     65         * @param c the collection of credentials in the proof
     66         * @param s a boolean, true if the query succeeded.
     67         */
     68        QueryResult(Collection<Credential> c, boolean s) {
    4769            creds = c;
    4870            success = s;
    4971        }
    5072
     73        /**
     74         * Empty constructor
     75         */
    5176        public QueryResult() {
    5277            creds = new TreeSet<Credential>();
     
    5479        }
    5580
     81        /**
     82         * Return the credentials in the proof.
     83         * @return the collection of credentials
     84         */
    5685        public Collection<Credential> getCredentials() { return creds; }
     86        /**
     87         * Return the success in the proof.
     88         * @return the boolean, true on success
     89         */
    5790        public boolean getSuccess() { return success; }
    5891    }
    5992
    6093
     94    /**
     95     * Create an empty Context.
     96     */
    6197    public Context() {
    6298        /* create the graph */
     
    71107    }
    72108
     109    /**
     110     * Create a context from another context.
     111     * @param c the Context to copy
     112     */
    73113    public Context(Context c) {
    74114        this();
     
    80120    }
    81121
     122    /**
     123     * Load an Identity from a file.
     124     * @param fn a String containing the file name.
     125     * @return one of the static int return codes.
     126     */
    82127    public int loadIDFile(String fn) { return loadIDChunk(new File(fn)); }
     128    /**
     129     * Load an Identity from a file.
     130     * @param fn a File containing the file name.
     131     * @return one of the static int return codes.
     132     */
    83133    public int loadIDFile(File fn) { return loadIDChunk(fn); }
     134    /**
     135     * Load an Identity from an object.  Supported objects are an Identity, a
     136     * String, a File, or a java.security.cert.X509Certificate.  A string
     137     * creates an new identity, and the others are derived from the contents of
     138     * the data or file.
     139     * @param c an object convertable to an identity as above.
     140     * @return one of the static int return codes.
     141     */
    84142    public int loadIDChunk(Object c) {
    85143        try {
     
    104162    }
    105163
     164    /**
     165     * Load an attribute certificate from a file.
     166     * @param fn a String containing the file name.
     167     * @return one of the static int return codes.
     168     */
    106169    public int loadAttributeFile(String fn) {
    107170        return loadAttributeChunk(new File(fn));
    108171    }
    109172
     173    /**
     174     * Load an attribute certificate from a file.
     175     * @param fn a File containing the file name.
     176     * @return one of the static int return codes.
     177     */
    110178    public int loadAttributeFile(File fn) { return loadAttributeChunk(fn); }
    111179
     180    /**
     181     * Load an Identity from an object.  Supported objects are a Credential, a
     182     * String, a File, or an org.bouncycastle.x509.X509V2AttributeCertificate.
     183     * A string creates an new Credential, and the others are derived from the
     184     * contents of the data or file.
     185     * @param c an object convertable to a Credential as above.
     186     * @return one of the static int return codes.
     187     */
    112188    public int loadAttributeChunk(Object c) {
    113189        try {
     
    133209    }
    134210
     211    /**
     212     * Determine if prinicpal possesses role in the current context.  If so,
     213     * return a proof of that, otherwise return a partial proof of it.
     214     * @param role a String encoding the role to check for.
     215     * @param principal a String with the principal ID in it.
     216     * @return a Context.QueryResult containing the result.
     217     */
    135218    public QueryResult query(String role, String principal) {
    136219        derive_implied_edges();
     
    143226
    144227    /**
    145      * Returns a collection of the credentials in the graph.
     228     * Return a collection of the credentials in the graph.s
     229     * @return a collection of the credentials in the graph.
    146230     */
    147231    public Collection<Credential> credentials() {
     
    156240    }
    157241
     242    /**
     243     * Returns true if the given Identity is known in this Context.  A jabac
     244     * extension.
     245     * @param i the Identity to look for
     246     * @return a boolean, true if the Identity is known.
     247     */
    158248    public boolean knowsIdentity(Identity i) { return identities.contains(i); }
     249    /**
     250     * Returns true if an Identity with the given string representation is
     251     * known in this Context.  A jabac extension.
     252     * @param k the string representing the Identity to look for
     253     * @return a boolean, true if the Identity is known.
     254     */
    159255    public boolean knowsKeyID(String k) {
    160256        boolean known = false;
     
    167263    /**
    168264     * Add a credential to the graph.
     265     * @param cred the Credential to add
    169266     */
    170267    protected void add_credential(Credential cred) {
     
    191288    /**
    192289     * Remove a credential from the graph.
     290     * @param cred the Credential to remove
    193291     */
    194292    protected void remove_credential(Credential cred) {
     
    200298    /**
    201299     * Add a role w/o an edge
     300     * @param v the Role to add
    202301     */
    203302    protected void add_vertex(Role v) {
     
    208307    }
    209308
     309    /**
     310     * Remove a role and connected edges.
     311     * @param v the Role to remove
     312     */
    210313    protected void remove_vertex(Role v) {
    211314        if (g.containsVertex(v)) {
     
    239342     * Single iteration of deriving implied edges. Returns the number of new
    240343     * links added.
     344     * @return the number of new links added.
    241345     */
    242346    protected int derive_links_iter() {
     
    301405     * Add a derived edge in the graph. Returns true only if the edge does not
    302406     * exist.
     407     * @return a boolean, true if an edge has been added
    303408     */
    304409    protected boolean add_derived_edge(Role head, Role tail) {
     
    331436     * common name they are disambiguated.  Only one entry for keyid is
    332437     * allowed.
     438     * @param i the Identity to add
    333439     */
    334440    protected void addIdentity(Identity id) {
     
    352458     * strings.  If any of the smallest strings is in the map, replace it with
    353459     * the value.
     460     * @param is the string to manipulate
     461     * @param m the Map containing translations
     462     * @return the string after modification
    354463     */
    355464    protected String replace(String is, Map<String, String> m) {
     
    369478    }
    370479
    371     public String expandKeyID(String s) { return replace(s, nicknames); }
    372     public String expandNickname(String s) { return replace(s, keys); }
     480    /**
     481     * Expand menmonic names in a Role string, e.g. the CN of the issuer
     482     * certificate, into the full key ID.  Used internally by Roles to provide
     483     * transparent use of mnemonics
     484     * @param s the string to expand
     485     * @return the String after expansion.
     486     */
     487    String expandKeyID(String s) { return replace(s, nicknames); }
     488    /**
     489     * Convert key IDs to  menmonic names in a Role string.  The inverse of
     490     * expandKeyID.
     491     * @param s the string to expand
     492     * @return the String after expansion.
     493     */
     494    String expandNickname(String s) { return replace(s, keys); }
    373495
    374496    /**
     
    378500     * PEM files are put in there.  If errors is not null, errors reading files
    379501     * are added indexed by filename.
     502     * @param zf the File to read
     503     * @param keys a Collection into which to insert unmatched keys
     504     * @param errors a Map from entry name to generated exception
     505     * @throws IOException if the file is unreadable.  Per entry exceptions are
     506     *                     returned in the errors parameter.
    380507     */
    381508    public void readZipFile(File zf, Collection<KeyPair> keys,
     
    444571        }
    445572    }
    446 
     573    /**
     574     * Equivalent to readZipFile(d, null, null).
     575     * @param d the File to read
     576     * @throws IOException if the file is unreadable. To see per-entry
     577     *                      exceptions use a signature with the errors parameter
     578     */
    447579    public void readZipFile(File d)
    448580            throws IOException {
    449581        readZipFile(d, null, null);
    450582    }
     583    /**
     584     * Equivalent to readZipFile(d, null, errors).
     585     * @param d the File to read
     586     * @param errors a Map from entry name to generated exception
     587     * @throws IOException if the file is unreadable.  Per entry exceptions are
     588     *                     returned in the errors parameter.
     589     */
    451590    public void readZipFile(File d,
    452591            Map<String, Exception> errors) throws IOException {
    453592        readZipFile(d, null, errors);
    454593    }
     594    /**
     595     * Equivalent to readZipFile(d, keys, null).
     596     * @param d the File to read
     597     * @param keys a Collection into which to insert unmatched keys
     598     * @throws IOException if the file is unreadable. To see per-entry
     599     *                      exceptions use a signature with the errors parameter
     600     */
    455601    public void readZipFile(File d,
    456602            Collection<KeyPair> keys) throws IOException {
     
    458604    }
    459605
     606    /**
     607     * Read a PEM file that contains an X509 Certificate, a key pair, or both.
     608     * If a cert is present it is converted into an Identity.  A key pair is
     609     * returned as a java.security.KeyPair and both are returned as an Identity
     610     * with an associated key pair.
     611     * @param r a PEMReader from which to read
     612     * @return an object encoding the contents (as above)
     613     * @throws IOException for an unreadable or badly formated input
     614     */
    460615    protected Object readPEM(PEMReader r) throws IOException {
    461616        Identity i = null;
     
    501656     * PEM files are put in there.  If errors is not null, errors reading files
    502657     * are added indexed by filename.
     658     * @param d the File to read.  If it is a directory its contents are read
     659     * @param keys a Collection into which to insert unmatched keys
     660     * @param errors a Map from entry name to generated exception
     661     * @throws IOException if the file is unreadable.  Per file exceptions are
     662     *                     returned in the errors parameter.
    503663     */
    504664    public void readDirectory(File d, Collection<KeyPair> keys,
     
    568728        }
    569729    }
    570 
     730    /**
     731     * Equivalent to readDirectory(d, null, null).
     732     * @param d the File to read.  If it is a directory its contents are read
     733     * @throws IOException if the file is unreadable.  To see per-file
     734     *                     exceptions use a signature with the errors parameter.
     735     */
    571736    public void readDirectory(File d) {
    572737        readDirectory(d, null, null);
    573738    }
     739    /**
     740     * Equivalent to readDirectory(d, null, null).
     741     * @param d the File to read.  If it is a directory its contents are read
     742     * @param errors a Map from entry name to generated exception
     743     * @throws IOException if the file is unreadable.  Per file exceptions are
     744     *                     returned in the errors parameter.
     745     */
    574746    public void readDirectory(File d, Map<String, Exception> errors) {
    575747        readDirectory(d, null, errors);
    576748    }
     749    /**
     750     * Equivalent to readDirectory(d, null, null).
     751     * @param d the File to read.  If it is a directory its contents are read
     752     * @param keys a Collection into which to insert unmatched keys
     753     * @throws IOException if the file is unreadable.  To see per-file
     754     *                     exceptions use a signature with the errors parameter.
     755     */
    577756    public void readDirectory(File d, Collection<KeyPair> keys) {
    578757        readDirectory(d, keys, null);
    579758    }
    580759
     760    /**
     761     * Write the certificates that make up the context as a zip file, with an
     762     * entry for each credential or identity.
     763     * @param f the File to write
     764     * @param allIDs a boolean, if true write certificates for all Identities,
     765     * whether used in signing a credential or not.
     766     * @param withPrivateKeys a boolean, if true write the Identities as PEM
     767     * file containing both the certificate and the private keys.
     768     * @throws IOException if there is a problem writhing the file.
     769     */
    581770    public void writeZipFile(File f, boolean allIDs, boolean withPrivateKeys)
    582771            throws IOException {
     
    602791
    603792    /**
    604      * Get to the SHA1 hash of the key.
    605      */
    606     public static String extractKeyID(PublicKey k) {
     793     * Get to the SHA1 hash of the key.  Used by Roles and Identities to get a
     794     * key ID.
     795     * @param k the PublicKey to get the ID from.
     796     * @return a String with the key identifier
     797     */
     798    static String extractKeyID(PublicKey k) {
    607799        SubjectPublicKeyInfo ki = extractSubjectPublicKeyInfo(k);
    608800        SubjectKeyIdentifier id =
     
    619811     * Extratct the SubjectPublicKeyInfo.  Useful for some other encryptions,
    620812     * notably Certificate.make_cert().
    621      */
    622     public static SubjectPublicKeyInfo extractSubjectPublicKeyInfo(
     813     * @param k the PublicKey to get the ID from.
     814     * @return a String with the key identifier
     815     */
     816    static SubjectPublicKeyInfo extractSubjectPublicKeyInfo(
    623817            PublicKey k) {
    624818        ASN1Sequence seq = null;
  • java/net/deterlab/abac/Credential.java

    rd69593c re36ea1d  
    55
    66import java.util.*;
    7 import java.util.zip.*;
    87import java.security.*;
    98import java.security.cert.*;
    109
    11 import net.deterlab.abac.Identity;
     10import javax.security.auth.x500.*;
    1211
    1312import org.bouncycastle.asn1.*;
    1413import org.bouncycastle.asn1.x509.*;
    1514import org.bouncycastle.x509.*;
    16 import org.bouncycastle.jce.X509Principal;
    17 import org.bouncycastle.jce.provider.X509AttrCertParser;
    18 import org.bouncycastle.jce.provider.X509CertificateObject;
    19 import org.bouncycastle.openssl.PEMReader;
    20 
    21 import java.security.PrivateKey;
    22 
     15import org.bouncycastle.x509.util.*;
     16import org.bouncycastle.openssl.*;
     17
     18/**
     19 * An ABAC credential, with or without an underlying certificate that
     20 * represents it.  These are edges in proof garphs and can be constructed from
     21 * their constituent Roles.
     22 * @author <a href="http://abac.deterlab.net">ISI ABAC team</a>
     23 * @version 1.3
     24 */
    2325public class Credential implements Comparable {
    24     protected static Vector<Identity> s_ids = new Vector<Identity>();
     26    /** The ASN1 OID for an IETF attribute. */
    2527    protected static String attrOID = "1.3.6.1.5.5.7.10.4";
     28    /** The ASN1 OID for AuthorityKeyIdentifier. */
    2629    protected static String authKeyOID = "2.5.29.35";
    2730
    28     protected Role m_head;
     31    /** The role at the head */
     32    protected Role m_head
     33    /** The role at the tail */;
    2934    protected Role m_tail;
     35    /** The certificate representing this credential */
    3036    protected X509V2AttributeCertificate ac;
     37    /** The identity that issued the certificate */
    3138    protected Identity id;
    3239
    3340    /**
    34      * A dummy credential.
     41     * Create an empty Credential.
    3542     */
    3643    public Credential() {
     
    4047    }
    4148    /**
    42      * Create a credential from a head and tail role. This is only for testing.
    43      * In a real implementation the Credential must be loaded from an X.509
    44      * attribute cert.
     49     * Create a credential from a head and tail role.  This credential has no
     50     * underlying certificate, and cannot be exported or used in real proofs.
     51     * make_cert can create a certificate for a credential initialized this
     52     * way.
     53     * @param head the Role at the head of the credential
     54     * @param tail the Role at the tail of the credential
    4555     */
    4656    public Credential(Role head, Role tail) {
     
    5262
    5363    /**
    54      * Do the credential initialization from a filename.
     64     * Do the credential extraction from an input stream.  This parses the
     65     * certificate from the input stream and saves it. The contents must be
     66     * validated and parsed later.
     67     * @param stream the InputStream to read the certificate from.
     68     * @throws IOException if the stream is unparsable
    5569     */
    5670    protected void read_certificate(InputStream stream)
    57             throws Exception {
    58         X509AttrCertParser parser = new X509AttrCertParser();
    59         parser.engineInit(stream);
    60         ac = (X509V2AttributeCertificate)parser.engineRead();
    61     }
    62 
    63 
    64     protected void init(InputStream stream, Collection<Identity> ids)
    65             throws Exception {
    66         read_certificate(stream);
    67         if (ac == null) throw new IOException("Unknown Format");
    68         init(ids);
    69     }
    70 
     71            throws IOException {
     72        ac = new X509V2AttributeCertificate(stream);
     73    }
     74
     75    /**
     76     * Initialize a credential from parsed certificate.  Validiate it against
     77     * the given identities and parse out the roles.  Note that catching
     78     * java.security.GeneralSecurityException catches most of the exceptions
     79     * this throws.
     80     * @param ids a Collection of Identities to use in validating the cert
     81     * @throws CertificateException if the certificate is badly formatted
     82     * @throws InvalidKeyException if none of the Identities can validate the
     83     *                              certificate
     84     * @throws NoSuchAlgorithmException if the credential uses an unknown
     85     *                              signature algorithm
     86     * @throws NoSuchProviderException if the provider of the signature
     87     *                              algorithm is unavailable
     88     * @throws SignatureException if the signature check fails
     89     */
    7190    protected void init(Collection<Identity> ids)
    7291            throws CertificateException, InvalidKeyException,
     
    88107            throw new InvalidKeyException("Unknown identity");
    89108    }
    90     /**
    91      * Create a credential from an attribute cert. Throws an exception if the
    92      * cert file can't be opened or if there's a format problem with the cert.
     109
     110    /**
     111     * Parse a credential from an InputStream and initialize the role from it.
     112     * Combine read_credential(stream) and init(ids).  Note that catching
     113     * java.security.GeneralSecurityException catches most of the exceptions
     114     * this throws.
     115     * @param stream the InputStream to read the certificate from.
     116     * @param ids a Collection of Identities to use in validating the cert
     117     * @throws CertificateException if the certificate is badly formatted
     118     * @throws InvalidKeyException if none of the Identities can validate the
     119     *                              certificate
     120     * @throws NoSuchAlgorithmException if the credential uses an unknown
     121     *                              signature algorithm
     122     * @throws NoSuchProviderException if the provider of the signature
     123     *                              algorithm is unavailable
     124     * @throws SignatureException if the signature check fails
     125     * @throws IOException if the certificate is unparsable.
     126     */
     127    protected void init(InputStream stream, Collection<Identity> ids)
     128            throws CertificateException, InvalidKeyException,
     129                NoSuchAlgorithmException, NoSuchProviderException,
     130                SignatureException, IOException {
     131        read_certificate(stream);
     132        if (ac == null) throw new IOException("Unknown Format");
     133        init(ids);
     134    }
     135
     136    /**
     137     * Create a credential from an attribute cert in a file. Throws an
     138     * exception if the cert file can't be opened or if there's a format
     139     * problem with the cert.  Note that catching
     140     * java.security.GeneralSecurityException catches most of the exceptions
     141     * this throws.
     142     * @param filename a String containing the filename to read
     143     * @param ids a Collection of Identities to use in validating the cert
     144     * @throws StreamParsingException if the stream is unparsable
     145     * @throws CertificateException if the certificate is badly formatted
     146     * @throws InvalidKeyException if none of the Identities can validate the
     147     *                              certificate
     148     * @throws NoSuchAlgorithmException if the credential uses an unknown
     149     *                              signature algorithm
     150     * @throws NoSuchProviderException if the provider of the signature
     151     *                              algorithm is unavailable
     152     * @throws SignatureException if the signature check fails
     153     * @throws IOException if the certificate is unparsable.
    93154     */
    94155    public Credential(String filename, Collection<Identity> ids)
     
    96157
    97158    /**
    98      * Create a credential from an attribute cert. Throws an exception if the
    99      * cert file can't be opened or if there's a format problem with the cert.
     159     * Create a credential from an attribute cert in a file. Throws an
     160     * exception if the cert file can't be opened or if there's a format
     161     * problem with the cert.  Note that catching
     162     * java.security.GeneralSecurityException catches most of the exceptions
     163     * this throws.
     164     * @param file the File to read
     165     * @param ids a Collection of Identities to use in validating the cert
     166     * @throws StreamParsingException if the stream is unparsable
     167     * @throws CertificateException if the certificate is badly formatted
     168     * @throws InvalidKeyException if none of the Identities can validate the
     169     *                              certificate
     170     * @throws NoSuchAlgorithmException if the credential uses an unknown
     171     *                              signature algorithm
     172     * @throws NoSuchProviderException if the provider of the signature
     173     *                              algorithm is unavailable
     174     * @throws SignatureException if the signature check fails
     175     * @throws IOException if the certificate is unparsable.
    100176     */
    101177    public Credential(File file, Collection<Identity> ids)
    102         throws Exception { init(new FileInputStream(file), ids); }
    103 
    104     /**
    105      * Create a credential from an InputStream.
     178            throws CertificateException, InvalidKeyException,
     179                NoSuchAlgorithmException, NoSuchProviderException,
     180                SignatureException, StreamParsingException, IOException {
     181        init(new FileInputStream(file), ids);
     182    }
     183
     184    /**
     185     * Create a credential from an InputStream.  Throws an exception if the
     186     * stream can't be parsed or if there's a format problem with the cert.
     187     * Note that catching java.security.GeneralSecurityException catches most
     188     * of the exceptions this throws.
     189     * @param s the InputStream to read
     190     * @param ids a Collection of Identities to use in validating the cert
     191     * @throws StreamParsingException if the stream is unparsable
     192     * @throws CertificateException if the certificate is badly formatted
     193     * @throws InvalidKeyException if none of the Identities can validate the
     194     *                              certificate
     195     * @throws NoSuchAlgorithmException if the credential uses an unknown
     196     *                              signature algorithm
     197     * @throws NoSuchProviderException if the provider of the signature
     198     *                              algorithm is unavailable
     199     * @throws SignatureException if the signature check fails
     200     * @throws IOException if the certificate is unparsable.
    106201     */
    107202    public Credential(InputStream s, Collection<Identity> ids)
    108         throws Exception { init(s, ids); }
    109 
     203            throws CertificateException, InvalidKeyException,
     204                NoSuchAlgorithmException, NoSuchProviderException,
     205                SignatureException, StreamParsingException, IOException {
     206        init(s, ids);
     207    }
     208
     209    /**
     210     * Create a credential from an X509V2AttributeCertificate object.  Throws
     211     * an exception if the certificate doesn't parse into an ABAC credential,
     212     * or cannot be validated.  Note that catching
     213     * java.security.GeneralSecurityException catches most of the exceptions
     214     * this throws.
     215     * @param c the X509V2AttributeCertificate to create from
     216     * @param ids a Collection of Identities to use in validating the cert
     217     * @throws CertificateException if the certificate is badly formatted
     218     * @throws InvalidKeyException if none of the Identities can validate the
     219     *                              certificate
     220     * @throws NoSuchAlgorithmException if the credential uses an unknown
     221     *                              signature algorithm
     222     * @throws NoSuchProviderException if the provider of the signature
     223     *                              algorithm is unavailable
     224     * @throws SignatureException if the signature check fails
     225     * @throws IOException if the certificate is unparsable.
     226     */
    110227    public Credential(X509V2AttributeCertificate c, Collection<Identity> ids)
    111         throws Exception {
     228            throws CertificateException, InvalidKeyException,
     229                NoSuchAlgorithmException, NoSuchProviderException,
     230                SignatureException, IOException {
    112231        ac = c;
    113232        init(ids);
     
    117236    /**
    118237     * Create a certificate from this credential issued by the given identity.
    119      * This is just grungy credential generation work.
    120      */
    121     public void make_cert(Identity i) {
     238     * Note that catching java.security.GeneralSecurityException catches most
     239     * of the exceptions this throws.
     240     * @param i the Identity that will issue the certificate
     241     * @throws IOException reading or writing problems
     242     * @throws CertificateEncodingException Problem creating certificate
     243     * @throws InvalidKeyException if none of the Identities can sign the
     244     *                              certificate
     245     * @throws NoSuchAlgorithmException if the credential uses an unknown
     246     *                              signature algorithm
     247     * @throws NoSuchProviderException if the provider of the signature
     248     *                              algorithm is unavailable
     249     * @throws SignatureException if the signature creation fails
     250     */
     251    public void make_cert(Identity i)
     252            throws IOException, CertificateEncodingException,
     253               NoSuchProviderException, NoSuchAlgorithmException,
     254               SignatureException, InvalidKeyException {
    122255        PrivateKey key = i.getKeyPair().getPrivate();
    123256        SubjectPublicKeyInfo pki = Context.extractSubjectPublicKeyInfo(
     
    127260
    128261        gen.setIssuer(new AttributeCertificateIssuer(
    129                     new X509Principal("CN="+m_head.principal())));
     262                    new X500Principal("CN="+m_head.principal())));
    130263        gen.setHolder(new AttributeCertificateHolder(
    131                     new X509Principal("CN="+m_head.principal())));
     264                    new X500Principal("CN="+m_head.principal())));
    132265        gen.setNotAfter(new Date(System.currentTimeMillis()
    133266                    + 3600 * 1000 * 24 * 365));
     
    140273        gen.setSignatureAlgorithm("SHA256WithRSAEncryption");
    141274
    142         try {
    143             // Creddy expects an authority key identifier.
    144             gen.addExtension(authKeyOID, false,
    145                     new AuthorityKeyIdentifier(pki));
    146             // Create the cert.
    147             ac = (X509V2AttributeCertificate) gen.generate(key, "BC");
    148         }
    149         catch (Exception e) {
    150             System.err.println(e);
    151         }
     275        // Creddy expects an authority key identifier.
     276        gen.addExtension(authKeyOID, false,
     277                new AuthorityKeyIdentifier(pki));
     278        // Create the cert.
     279        ac = (X509V2AttributeCertificate) gen.generate(key, "BC");
    152280    }
    153281
     
    156284     * there's something wrong with the cert.
    157285     */
    158     private void load_roles() throws RuntimeException {
     286    private void load_roles() {
    159287        String roles = null;
    160288        try {
     
    181309    /**
    182310     * Two credentials are the same if their roles are the same.
     311     * @param o an Object to compare
     312     * @return true if the Credentials have the Roles
    183313     */
    184314    public boolean equals(Object o) {
     
    192322    }
    193323
     324    /**
     325     * Allow credentials to be compared.  They are ordered by their Roles, head
     326     * then tail.
     327     * @param o an Object to compare
     328     * @return -1 if this Credential is before, 0 if they are the same, and 1
     329     *              if this Credential is after the given object.
     330     */
    194331    public int compareTo(Object o) {
    195332        if (o instanceof Credential) {
     
    205342    /**
    206343     * Get the head role from the credential.
     344     * @return the Role in the head
    207345     */
    208346    public Role head() { return m_head; }
     
    210348    /**
    211349     * Get the tail role from the credential
     350     * @return the Role in the tail
    212351     */
    213352    public Role tail() { return m_tail; }
     
    215354    /**
    216355     * Gets the cert associated with this credential (if any).
     356     * @return the attribute cert associated with this credential (if any).
    217357     */
    218358    public X509V2AttributeCertificate cert() { return ac; }
     
    220360    /**
    221361     * Turn the credential into string form. The format is head &lt;- tail. For
    222      * example: A.r1 &lt;- B.r2.r3.
     362     * example: A.r1 &lt;- B.r2.r3.  Principal names are key identifiers.
     363     * @return the string form
    223364     */
    224365    public String toString() {
     
    226367    }
    227368
     369    /**
     370     * Turn the credential into string form. The format is head &lt;- tail. For
     371     * example: A.r1 &lt;- B.r2.r3.  Principal names are shortened to menmonics
     372     * if the Context knows the identity.
     373     * @param c the Context to translate names in
     374     * @return the string form
     375     */
    228376    public String simpleString(Context c) {
    229377        return m_head.simpleString(c) + " <- " + m_tail.simpleString(c);
    230378    }
    231379
     380    /**
     381     * Output the DER formatted attribute certificate associated with this
     382     * Credential to the OutputStream.
     383     * @param s the OutputStream on which to write
     384     * @throws IOException if there is an error writing.
     385     */
    232386    public void write(OutputStream s) throws IOException {
    233         s.write(ac.getEncoded());
     387        if (ac != null )
     388            s.write(ac.getEncoded());
    234389        s.flush();
    235390    }
    236391
     392    /**
     393     * Output the DER formatted attribute certificate associated with this
     394     * Credential to the filename given.
     395     * @param fn a String containing the output filename
     396     * @throws IOException if there is an error writing.
     397     */
    237398    public void write(String fn) throws IOException, FileNotFoundException {
    238399        write(new FileOutputStream(fn));
    239400    }
    240401
     402    /**
     403     * Return true if this Credential has a certificate associated.  A jabac
     404     * extension.
     405     * @return true if this Credential has a certificate associated.
     406     */
    241407    public boolean hasCertificate() { return ac != null; }
    242408
     409    /**
     410     * Return the Identity that issued the underlying certificate.  A jabac
     411     * extension.
     412     * @return the Identity that issued the underlying certificate.
     413     */
    243414    public Identity issuer() { return id; }
     415    /**
     416     * Return the X509Certificate that issued the underlying certificate.
     417     * @return the X509Certificate that issued the underlying certificate.
     418     */
    244419    public X509Certificate issuerCert() { return id.getCertificate(); }
     420    /**
     421     * Return the X509V2AttributeCertificate that underlys the Credential
     422     * @return the X509V2AttributeCertificate that underlys the Credential.
     423     */
    245424    public X509V2AttributeCertificate attributeCert() { return ac; }
    246425
  • java/net/deterlab/abac/Identity.java

    r0595372 re36ea1d  
    1919import org.bouncycastle.openssl.PEMWriter;
    2020
     21/**
     22 * An ABAC identity.  An X509 Certificate-encoded public key.  The key
     23 * identifier is used as the name of the Identity.  This whole class is
     24 * something of a jabac extension.
     25 * @author <a href="http://abac.deterlab.net">ISI ABAC team</a>
     26 * @version 1.3
     27 */
    2128public class Identity implements Comparable {
    22     private X509Certificate cert;
    23     private String keyid;
    24     private String cn;
    25     private KeyPair kp;
    26 
    27     /**
    28      *  Initialize internals from PEM cert in a reader.  Use a PEMReader to get
    29      *  the certificate, and call init(cert) on it.
     29    /** The underlying X509 certificate. */
     30    protected X509Certificate cert;
     31    /** The public key id used as this principal's name */
     32    protected String keyid;
     33    /** The common name in the certificate, used as a mnemonic */
     34    protected String cn;
     35    /** The keypair, if any, used to sign for this Identity */
     36    protected KeyPair kp;
     37
     38    /**
     39     * Initialize from PEM cert in a reader.  Use a PEMReader to get
     40     * the certificate, and call init(cert) on it.
     41     * @param r a Reader containing the certificate
     42     * @throws CertificateException if the certificate is badly formatted
     43     * @throws InvalidKeyException if none of the Identities can validate the
     44     *                              certificate
     45     * @throws NoSuchAlgorithmException if the credential uses an unknown
     46     *                              signature algorithm
     47     * @throws NoSuchProviderException if the provider of the signature
     48     *                              algorithm is unavailable
     49     * @throws SignatureException if the signature check fails
     50     * @throws IOException if the certificate is unparsable.
    3051     */
    3152    protected void init(Reader r) throws
     
    5172
    5273    /**
    53      *  Initialize internals from cert.  Confirm it is self signed,  and then
    54      *  the keyid and common name.  There's some work to get this stuff, but
    55      *  it's all an incantation of getting the right classes to get the right
    56      *  data.  Looks more complex than it is.
     74     * Initialize internals from cert.  Confirm it is self signed,  and then
     75     * the keyid and common name.  There's some work to get this stuff, but
     76     * it's all an incantation of getting the right classes to get the right
     77     * data.  Looks more complex than it is.
     78     * @param c an X509Certificate to init from
     79     * @throws CertificateException if the certificate is badly formatted
     80     * @throws InvalidKeyException if none of the Identities can validate the
     81     *                              certificate
     82     * @throws NoSuchAlgorithmException if the credential uses an unknown
     83     *                              signature algorithm
     84     * @throws NoSuchProviderException if the provider of the signature
     85     *                              algorithm is unavailable
     86     * @throws SignatureException if the signature check fails
     87     * @throws IOException if the certificate is unparsable.
    5788     */
    5889    protected void init(X509Certificate c) throws
     
    69100
    70101    /**
    71      * Construct from a string, used as a CN
     102     * Construct from a string, used as a CN.  Keys are generated.
     103     * @param cn a String containing the menomnic name
     104     * @throws IOException reading or writing problems
     105     * @throws CertificateEncodingException Problem creating certificate
     106     * @throws InvalidKeyException if none of the Identities can sign the
     107     *                              certificate
     108     * @throws NoSuchAlgorithmException if the credential uses an unknown
     109     *                              signature algorithm
     110     * @throws NoSuchProviderException if the provider of the signature
     111     *                              algorithm is unavailable
     112     * @throws SignatureException if the signature creation fails
    72113     */
    73114    public Identity(String cn) throws
     
    93134    /**
    94135     * Construct from a file, containing a self-signed PEM certificate.
     136     * @param file the File to read
     137     * @throws CertificateException if the certificate is badly formatted
     138     * @throws InvalidKeyException if none of the Identities can validate the
     139     *                              certificate
     140     * @throws NoSuchAlgorithmException if the credential uses an unknown
     141     *                              signature algorithm
     142     * @throws NoSuchProviderException if the provider of the signature
     143     *                              algorithm is unavailable
     144     * @throws SignatureException if the signature check fails
     145     * @throws IOException if the certificate is unparsable.
    95146     */
    96147    public Identity(File file) throws
     
    103154
    104155    /**
    105      * Construct from a reader, containing a self-signed PEM certificate.
     156     * Construct from a reader containing a self-signed PEM certificate.
     157     * @param r the Reader containing the certificate
     158     * @throws CertificateException if the certificate is badly formatted
     159     * @throws InvalidKeyException if none of the Identities can validate the
     160     *                              certificate
     161     * @throws NoSuchAlgorithmException if the credential uses an unknown
     162     *                              signature algorithm
     163     * @throws NoSuchProviderException if the provider of the signature
     164     *                              algorithm is unavailable
     165     * @throws SignatureException if the signature check fails
     166     * @throws IOException if the certificate is unparsable.
    106167     */
    107168    public Identity(Reader r) throws
     
    113174
    114175    /**
    115      * Construct from an InputStream, containing a self-signed PEM certificate.
     176     * Construct from an InputStream containing a self-signed PEM certificate.
     177     * @param s the InputStream containing the certificate
     178     * @throws CertificateException if the certificate is badly formatted
     179     * @throws InvalidKeyException if none of the Identities can validate the
     180     *                              certificate
     181     * @throws NoSuchAlgorithmException if the credential uses an unknown
     182     *                              signature algorithm
     183     * @throws NoSuchProviderException if the provider of the signature
     184     *                              algorithm is unavailable
     185     * @throws SignatureException if the signature check fails
     186     * @throws IOException if the certificate is unparsable.
    116187     */
    117188    public Identity(InputStream s) throws
     
    123194
    124195    /**
    125      * Construct from an X509Certificate, if you parsed one somewhere
    126      * else.
     196     * Construct from an X509Certificate
     197     * @param cert an X509Certificate to init from
     198     * @throws CertificateException if the certificate is badly formatted
     199     * @throws InvalidKeyException if none of the Identities can validate the
     200     *                              certificate
     201     * @throws NoSuchAlgorithmException if the credential uses an unknown
     202     *                              signature algorithm
     203     * @throws NoSuchProviderException if the provider of the signature
     204     *                              algorithm is unavailable
     205     * @throws SignatureException if the signature check fails
     206     * @throws IOException if the certificate is unparsable.
    127207     */
    128208    public Identity(X509Certificate cert) throws
     
    136216    /**
    137217     * Write the PEM key to the given writer.
     218     * @param w the Writer
     219     * @return true if the Identity had a keypair and wrote the key
     220     * @throws IOException if writing fails
    138221     */
    139222    public boolean writePrivateKey(Writer w) throws IOException {
     
    158241    /**
    159242     * Write the PEM key to the given file.
     243     * @param fn a String with the output file name
     244     * @return true if the Identity had a keypair and wrote the key
     245     * @throws IOException if writing fails
    160246     */
    161247    public boolean writePrivateKey(File fn)
     
    166252    /**
    167253     * Write the PEM key to the given OutputStream.
     254     * @param s an OutputStream to write on
     255     * @return true if the Identity had a keypair and wrote the key
     256     * @throws IOException if writing fails
    168257     */
    169258    public boolean writePrivateKey(OutputStream s)
     
    175264    /**
    176265     * Write the PEM cert to the given writer.
     266     * @param w a Writer to write on
     267     * @throws IOException if writing fails
    177268     */
    178269    public void write(Writer w) throws IOException {
     
    192283    /**
    193284     * Write the PEM cert to the given file.
     285     * @param fn a String with the output file name
     286     * @throws IOException if writing fails
    194287     */
    195288    public void write(File fn) throws IOException, FileNotFoundException {
     
    199292    /**
    200293     * Write the PEM cert to the given OutputStream.
     294     * @param s an OutputStream to write on
     295     * @throws IOException if writing fails
    201296     */
    202297    public void write(OutputStream s)
     
    206301
    207302
    208     // Accessors
     303    /**
     304     * Return the Identity's KeyID
     305     * @return the Identity's KeyID
     306     */
    209307    public String getKeyID() { return keyid; }
     308    /**
     309     * Return the Identity's mnemonic name
     310     * @return the Identity's mnemonic name
     311     */
    210312    public String getName() { return cn; }
     313    /**
     314     * Return the Identity's X509 Certificate
     315     * @return the Identity's X509 Certificate
     316     */
     317    public X509Certificate getCertificate() { return cert; }
     318    /**
     319     * Return a simple string rep of the Identity.
     320     * @return a simple string rep of the Identity.
     321     */
    211322    public String toString() {
    212323        String s = keyid + " (" + cn ;
     
    220331     * make sure that the keypair matches it.  If not throw an
    221332     * IllegalArgumentException.
     333     * @param k the KeyPair to connect
     334     * @throws IllegalArgumentException if the keypair does not
     335     *                              match the pubkey in the X509 certificate
    222336     */
    223337    public void setKeyPair(KeyPair k) {
     
    232346        else kp = k;
    233347    }
     348
     349    /**
     350     * Return the keypair associated with this Identity (if any)
     351     * @return the keypair associated with this Identity (if any)
     352     */
    234353    public KeyPair getKeyPair() { return kp; }
     354
     355    /**
     356     * Equality test.  Two Identities are equal if their key ID's match.
     357     * @return true if the two key ID's are equal.
     358     */
    235359    public boolean equals(Object o) {
    236360        if ( o == null ) return false;
     
    238362        else return getKeyID().equals(((Identity)o).getKeyID());
    239363    }
     364    /**
     365     * Allow Identities to be compared.  They are ordered by their key ID's.
     366     * @param o an Object to compare
     367     * @return -1 if this Identity is before, 0 if they are the same, and 1
     368     *              if this Identity is after the given object.
     369     */
    240370    public int compareTo(Object o) {
    241371        if ( ! (o instanceof Identity) ) return 1;
    242372        else return getKeyID().compareTo(((Identity)o).getKeyID());
    243373    }
    244     public X509Certificate getCertificate() { return cert; }
    245374
    246375};
  • java/net/deterlab/abac/Role.java

    r5129e3e re36ea1d  
    77/**
    88 * Represents a role, which is a vertex in a Credential graph.
     9 * @author <a href="http://abac.deterlab.net">ISI ABAC team</a>
     10 * @version 1.3
    911 */
    1012public class Role implements Comparable {
     13    /** The role represnetation */
    1114    protected String m_string;
     15    /** The role broken into parts between dots */
    1216    protected String[] m_parts;
     17    /** The linking role from a linking Role */
    1318    protected String m_A_r1;
     19    /** The linked role from a linked Role */
    1420    protected String m_r2;
     21    /** A prefix of the role */
    1522    protected String m_prefix;
     23    /** Prerequisite roles for an intersection role. */
    1624    protected Role[] m_prereqs;
    1725
     
    2533     * If the string does not have this format, the constructor throws a
    2634     * RuntimeException.
    27      */
    28     public Role(String s) throws RuntimeException {
     35     *
     36     * @param s a String with the role name
     37     * @throws RuntimeException if the string is badly formatted
     38     */
     39    public Role(String s) {
    2940        m_string = s;
    3041
     
    4960    }
    5061
     62    /**
     63     * Create a role from the given string, converted from mnemonic strings to
     64     * key IDs that are known from the Context.  This is a jabac extension.
     65     * @param s the String containing the rile name.
     66     * @param c the Context in which to expand mnemonics
     67     * @throws RuntimeException if the string is badly formatted.
     68     */
    5169    public Role(String s, Context c) {
    5270        this(c.expandKeyID(s));
    5371    }
    5472
     73    /**
     74     * Copy an existing role.
     75     * @param r the Role to copy
     76     */
    5577    public Role(Role r) {
    5678        m_string = r.m_string;
     
    6789
    6890    /**
    69      * Initialize a single non-intersection role. See constructor for details of
    70      * role format. Will throw RuntimeException if the role is invalid.
    71      */
    72     private void single_role() throws RuntimeException {
     91     * Initialize a single non-intersection role. See constructor for details
     92     * of role format. Will throw RuntimeException if the role is invalid.
     93     * @throws RuntimeException if a role is invalid.
     94     */
     95    private void single_role() {
    7396        m_parts = m_string.split("\\.");
    7497        if (m_parts.length > 3)
     
    93116    /**
    94117     * Returns true iff the role is a principal.
     118     * @returns true iff the role is a principal.
    95119     */
    96120    public boolean is_principal() { return m_parts.length == 1; }
     
    98122    /**
    99123     * Returns true iff the role is a role (i.e., A.r1).
     124     * @returns true iff the role is a role (i.e., A.r1).
    100125     */
    101126    public boolean is_role() { return m_parts.length == 2; }
     
    103128    /**
    104129     * Returns true iff the role is a linking role (i.e., A.r1.r2).
     130     * @returns true iff the role is a linking role (i.e., A.r1.r2).
    105131     */
    106132    public boolean is_linking() { return m_parts.length == 3; }
     
    108134    /**
    109135     * Returns true iff the role represents an intersection role.
     136     * @returns true iff the role represents an intersection role.
    110137     */
    111138    public boolean is_intersection() { return m_prereqs != null; }
     
    115142     * refers to another role in the graph. This will throw a runtime
    116143     * exception if the node is not a linking role.
     144     * @returns the first two elements of a linking role's name.
     145     * @throws RuntimeException if the role is not linking
    117146     */
    118147    String A_r1() throws RuntimeException {
     
    125154     * Return the last element of a linking role's name. This will throw a
    126155     * runtime exception if the node is not a linking role.
     156     * @return the last element of a linking role's name.
     157     * @throws RuntimeException if the node is not a linking role.
    127158     */
    128159    String r2() throws RuntimeException {
     
    134165    /**
    135166     * Returns the principal part of a role or principal. This is everything
    136      * except the last element of the name.
    137      */
    138     public String principal_part() {
     167     * except the last element of the name.  Used by Query.
     168     * @returns the principal part of a role or principal.
     169     */
     170    String principal_part() {
    139171        return m_prefix;
    140172    }
    141173
     174    /**
     175     * Return the principal
     176     * @return the principal
     177     */
    142178    public String principal() { return m_parts.length > 0 ? m_parts[0] : null; }
     179    /**
     180     * Return the role name (part after the first dot and before any second)
     181     * @return the role name
     182     */
    143183    public String role_name() { return m_parts.length > 1 ? m_parts[1] : null; }
     184    /**
     185     * Return the linked role (first two parts of a linking role)
     186     * @return the linked role
     187     */
    144188    public String linked_role() { return A_r1(); }
    145189
     
    147191     * Get the roles that form the prerequisites to this intersection. Throws
    148192     * a runtime exception if this is not an intersection role.
     193     * @return a Role[] of prerequisites
     194     * @throws RuntimeException if this is not an intersection role
    149195     */
    150196    Role[] prereqs() throws RuntimeException {
Note: See TracChangeset for help on using the changeset viewer.