1 | |
|
2 | |
|
3 | |
|
4 | |
|
5 | |
|
6 | |
|
7 | |
|
8 | |
|
9 | |
|
10 | |
package org.openpermis.cert; |
11 | |
|
12 | |
import java.io.IOException; |
13 | |
import java.io.StringReader; |
14 | |
import java.net.URI; |
15 | |
import java.net.URL; |
16 | |
import java.security.Principal; |
17 | |
import java.security.cert.CertificateException; |
18 | |
import java.util.List; |
19 | |
|
20 | |
import javax.security.auth.x500.X500Principal; |
21 | |
|
22 | |
import org.bouncycastle.util.StreamParsingException; |
23 | |
import org.bouncycastle.x509.X509Attribute; |
24 | |
|
25 | |
import org.openpermis.PolicyDecisionPoint; |
26 | |
import org.openpermis.basic.AbsoluteTimePeriod; |
27 | |
import org.openpermis.basic.ExpirablePolicyDecisionPoint; |
28 | |
import org.openpermis.basic.TimePeriod; |
29 | |
import org.openpermis.cert.RoleAttribute.RoleDefinition; |
30 | |
import org.openpermis.policy.bean.basic.BasicPartBeanFactory; |
31 | |
import org.openpermis.policy.io.PolicyException; |
32 | |
import org.openpermis.policy.io.PolicyReader; |
33 | |
import org.openpermis.policy.io.StrictPolicyReader; |
34 | |
import org.openpermis.policy.io.xml.PermisXmlReader; |
35 | |
|
36 | |
|
37 | |
|
38 | |
|
39 | |
|
40 | |
|
41 | |
public final class AttributeCertificateExtractorUtility { |
42 | |
|
43 | |
|
44 | |
|
45 | |
|
46 | |
|
47 | |
|
48 | |
|
49 | |
|
50 | |
|
51 | |
public static TimePeriod readValidityPeriod (AttributeCertificate certificate) { |
52 | 9 | nullCheck(certificate); |
53 | |
|
54 | 9 | return new AbsoluteTimePeriod( |
55 | |
certificate.getNotBefore(), |
56 | |
certificate.getNotAfter() |
57 | |
); |
58 | |
} |
59 | |
|
60 | |
|
61 | |
|
62 | |
|
63 | |
|
64 | |
|
65 | |
|
66 | |
|
67 | |
|
68 | |
|
69 | |
|
70 | |
|
71 | |
public static X500Principal readHolder (AttributeCertificate certificate) |
72 | |
throws AttributeCertificateException |
73 | |
{ |
74 | 9 | nullCheck(certificate); |
75 | |
|
76 | 9 | final Principal[] principals = certificate.getHolder().getEntityNames(); |
77 | 9 | if (principals.length != 1) { |
78 | 0 | throw new AttributeCertificateException( |
79 | |
"AC should contain exactly one general holder name." |
80 | |
); |
81 | |
} |
82 | 9 | if (!(principals[0] instanceof X500Principal)) { |
83 | 0 | throw new AttributeCertificateException("AC contains an illeagal holder name."); |
84 | |
} |
85 | |
|
86 | 9 | return (X500Principal) principals[0]; |
87 | |
} |
88 | |
|
89 | |
|
90 | |
|
91 | |
|
92 | |
|
93 | |
|
94 | |
|
95 | |
|
96 | |
|
97 | |
public static X500Principal readIssuer (AttributeCertificate certificate) |
98 | |
throws AttributeCertificateException |
99 | |
{ |
100 | 8 | nullCheck(certificate); |
101 | |
|
102 | 8 | final Principal[] principals = certificate.getIssuer().getPrincipals(); |
103 | 8 | if (principals.length != 1) { |
104 | 0 | throw new AttributeCertificateException( |
105 | |
"AC must contain exactly one general issuer name." |
106 | |
); |
107 | |
} |
108 | 8 | if (!(principals[0] instanceof X500Principal)) { |
109 | 0 | throw new AttributeCertificateException("AC contains an illeagal issuer name."); |
110 | |
} |
111 | |
|
112 | 8 | return (X500Principal) principals[0]; |
113 | |
} |
114 | |
|
115 | |
|
116 | |
|
117 | |
|
118 | |
|
119 | |
|
120 | |
|
121 | |
|
122 | |
public static String readPolicyAttribute (AttributeCertificate certificate) |
123 | |
throws AttributeCertificateException |
124 | |
{ |
125 | 0 | nullCheck(certificate); |
126 | |
|
127 | 0 | final X509Attribute[] attributes = certificate.getAttributes(PolicyAttribute.OID); |
128 | 0 | if (attributes == null || attributes.length == 0) { |
129 | 0 | throw new AttributeCertificateException("AC contains no policy attribute."); |
130 | |
} |
131 | 0 | if (attributes.length > 1) { |
132 | 0 | throw new AttributeCertificateException("AC contains more than one policy attribute."); |
133 | |
} |
134 | |
try { |
135 | 0 | return new PolicyAttribute(attributes[0]).getPolicy(); |
136 | 0 | } catch (StreamParsingException e) { |
137 | 0 | throw new AttributeCertificateException("AC contains invalid encoded policy.", e); |
138 | |
} |
139 | |
} |
140 | |
|
141 | |
|
142 | |
|
143 | |
|
144 | |
|
145 | |
|
146 | |
|
147 | |
|
148 | |
public static List<RoleDefinition> readRoleAttribute (AttributeCertificate certificate) |
149 | |
throws AttributeCertificateException |
150 | |
{ |
151 | 9 | nullCheck(certificate); |
152 | |
|
153 | 9 | final X509Attribute[] attributes = certificate.getAttributes(RoleAttribute.OID); |
154 | 9 | if (attributes == null || attributes.length == 0) { |
155 | 0 | throw new AttributeCertificateException("AC contains no role attribute."); |
156 | |
} |
157 | 9 | if (attributes.length > 1) { |
158 | 0 | throw new AttributeCertificateException("AC contains more than one role attribute."); |
159 | |
} |
160 | |
try { |
161 | 9 | return new RoleAttribute(attributes[0]).getRoles(); |
162 | 0 | } catch (StreamParsingException e) { |
163 | 0 | throw new AttributeCertificateException("AC contains invalid encoded roles.", e); |
164 | |
} |
165 | |
} |
166 | |
|
167 | |
|
168 | |
|
169 | |
|
170 | |
|
171 | |
|
172 | |
|
173 | |
|
174 | |
|
175 | |
|
176 | |
|
177 | |
|
178 | |
|
179 | |
|
180 | |
|
181 | |
|
182 | |
|
183 | |
public static PolicyDecisionPoint createPolicyDecisionPoint ( |
184 | |
URL policyCertificate, CertificateVerifier certificateVerifier |
185 | |
) |
186 | |
throws StreamParsingException, |
187 | |
IOException, |
188 | |
CertificateException, |
189 | |
PolicyException, |
190 | |
AttributeCertificateException |
191 | |
{ |
192 | 0 | if (policyCertificate == null || certificateVerifier == null) { |
193 | 0 | throw new IllegalArgumentException("Policy or certificate verifier is null"); |
194 | |
} |
195 | |
|
196 | 0 | final AttributeCertificate certificate = |
197 | |
new AttributeCertificate(policyCertificate.openStream()); |
198 | |
|
199 | 0 | final TimePeriod validity = |
200 | |
AttributeCertificateExtractorUtility.readValidityPeriod(certificate); |
201 | |
|
202 | |
|
203 | |
try { |
204 | 0 | certificateVerifier.verifyCertificate(certificate); |
205 | 0 | } catch (Exception e) { |
206 | 0 | throw new CertificateException("Could not verify policy attribute certifcate", e); |
207 | 0 | } |
208 | |
|
209 | |
|
210 | 0 | final String policy = AttributeCertificateExtractorUtility.readPolicyAttribute(certificate); |
211 | |
|
212 | |
|
213 | 0 | final PolicyReader reader = new StrictPolicyReader( |
214 | |
new PermisXmlReader( |
215 | |
new StringReader(policy), new BasicPartBeanFactory() |
216 | |
) |
217 | |
); |
218 | 0 | return new ExpirablePolicyDecisionPoint(reader.readPolicy(), validity); |
219 | |
} |
220 | |
|
221 | |
|
222 | |
|
223 | |
|
224 | |
|
225 | |
|
226 | |
|
227 | |
|
228 | |
|
229 | |
|
230 | |
|
231 | |
public static String readPolicy (URL policyCertificate) |
232 | |
throws IOException, |
233 | |
AttributeCertificateException |
234 | |
{ |
235 | 0 | return AttributeCertificateExtractorUtility.readPolicyAttribute( |
236 | |
new AttributeCertificate(policyCertificate.openStream())); |
237 | |
} |
238 | |
|
239 | |
|
240 | |
|
241 | |
|
242 | |
public static X500Principal toX500Principal (URI uri) { |
243 | 0 | return new X500Principal(uri.getPath()); |
244 | |
} |
245 | |
|
246 | |
|
247 | |
|
248 | |
|
249 | |
public static URI toUri (X500Principal principal) { |
250 | 16 | return URI.create(principal.getName("CANONICAL")); |
251 | |
} |
252 | |
|
253 | |
|
254 | |
|
255 | |
|
256 | |
private static void nullCheck (AttributeCertificate certificate) { |
257 | 35 | if (certificate == null) { |
258 | 0 | throw new IllegalArgumentException("Attribute certificate is null."); |
259 | |
} |
260 | 35 | } |
261 | |
|
262 | |
|
263 | |
|
264 | |
|
265 | |
|
266 | |
|
267 | 0 | private AttributeCertificateExtractorUtility () { |
268 | |
|
269 | 0 | } |
270 | |
|
271 | |
|
272 | |
} |