psecredential.java

jxta_src_2.41b jxta 2.41b 最新版源码 from www.jxta.org

/*
 * Copyright (c) 2001 Sun Microsystems, Inc.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. The end-user documentation included with the redistribution,
 *    if any, must include the following acknowledgment:
 *       "This product includes software developed by the
 *       Sun Microsystems, Inc. for Project JXTA."
 *    Alternately, this acknowledgment may appear in the software itself,
 *    if and wherever such third-party acknowledgments normally appear.
 *
 * 4. The names "Sun", "Sun Microsystems, Inc.", "JXTA" and "Project JXTA"
 *    must not be used to endorse or promote products derived from this
 *    software without prior written permission. For written
 *    permission, please contact Project JXTA at http://www.jxta.org.
 *
 * 5. Products derived from this software may not be called "JXTA",
 *    nor may "JXTA" appear in their name, without prior written
 *    permission of Sun.
 *
 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 * DISCLAIMED.  IN NO EVENT SHALL SUN MICROSYSTEMS OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
 * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 * ====================================================================
 *
 * This software consists of voluntary contributions made by many
 * individuals on behalf of Project JXTA.  For more
 * information on Project JXTA, please see
 * <http://www.jxta.org/>.
 *
 * This license is based on the BSD license adopted by the Apache Foundation.
 *
 * $Id: PSECredential.java,v 1.8 2005/12/06 19:23:33 bondolo Exp $
 */
package net.jxta.impl.membership.pse;

import java.beans.PropertyChangeListener;
import java.beans.PropertyChangeSupport;
import java.io.ByteArrayInputStream;
import java.io.InputStream;
import java.io.SequenceInputStream;
import java.io.StringReader;
import java.net.URI;
import java.security.PrivateKey;
import java.security.Signature;
import java.security.cert.CertificateFactory;
import java.security.cert.CertPath;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Date;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.List;
import java.util.Timer;
import java.util.TimerTask;

import java.io.IOException;
import java.net.URISyntaxException;
import java.security.InvalidKeyException;
import java.security.SignatureException;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import javax.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;

import org.apache.log4j.Level;
import org.apache.log4j.Logger;

import net.jxta.credential.Credential;
import net.jxta.credential.CredentialPCLSupport;
import net.jxta.document.Attributable;
import net.jxta.document.Attribute;
import net.jxta.document.Element;
import net.jxta.document.MimeMediaType;
import net.jxta.document.StructuredDocument;
import net.jxta.document.StructuredDocumentUtils;
import net.jxta.document.StructuredDocumentFactory;
import net.jxta.document.XMLDocument;
import net.jxta.document.XMLElement;
import net.jxta.id.ID;
import net.jxta.id.IDFactory;
import net.jxta.peer.PeerID;
import net.jxta.peergroup.PeerGroupID;
import net.jxta.service.Service;

import net.jxta.exception.PeerGroupException;

import net.jxta.impl.util.TimerThreadNamer;

/**
 *  This class provides the sub-class of Credential which is associated with the
 *  PSE membership service.
 *
 *  <p/>There are two varients of the credential:
 *
 *  <ul>
 *      <li>local - Generated as a result of local login. This type of
 *      credential can be used for signing and can be serialized for inclusion
 *      in protocols.</li>
 *      <li>remote - Generated as a result of deserialization from protocols.
 *      The credential is verified to ensure that the contents are valid at the
 *      time it is created.</li>
 *  </ul>
 *
 *  <p/>The schema for this credential format:
 *
 *  <pre><code>
 *  &lt;xs:element name="PSECred" type="jxta:PSECred" />
 *
 *  &lt;xs:complexType name="PSECred">
 *    &lt;xs:sequence>
 *      &lt;xs:element name="PeerGroupID" type="jxta:JXTAID" />
 *      &lt;xs:element name="PeerID" type="jxta:JXTAID" />
 *      &lt;!-- An X.509 Certificate -->
 *      &lt;xs:element name="Certificate" type="xs:string" minOccurs="1" maxOccurs="unbounded" />
 *      &lt;!-- A SHA1WithRSA Signature -->
 *      &lt;xs:element name="Signature" type="xs:string" />
 *    &lt;/xs:sequence>
 *  &lt;/xs:complexType>
 *  &lt;/code></pre>
 *
 *  <p/>FIXME 20050625 bondolo If the certificate chain for a credential is
 *  updated in the PSE keystore after a credential is created then the 
 *  credential instance will not reflect those changes. This can be a problem if 
 *  the issuer chain changes or expiries are updated. Even though it's going to 
 *  be hit on performance PSECredential needs to changed to be backed by the PSE 
 *  keystore directly rather than containing the certs. Either that or some kind
 *  of notification systems. It's probably best to assume that our simple cm
 *  based keystore is the easiest and least dynamic case. Every other key store
 *  is going to be more dynamic and difficult. The work around for now is to 
 *  force a membership resign everytime the keystore contents are changed.
 *
 * @see net.jxta.credential.Credential
 * @see net.jxta.impl.membership.pse.PSEMembershipService
 **/
public final class PSECredential implements Credential, CredentialPCLSupport {
    
    /**
     *  Log4J Logger
     **/
    private static final Logger LOG = Logger.getLogger(PSECredential.class.getName());
    
    /**
     *  A Timer we use for managing the cert expirations.
     **/
    private static Timer expirationTimer = new Timer( true );
    
    static {
        expirationTimer.schedule(new TimerThreadNamer("PSECredential Expiration Timer"), 0 );
    }
    
    /**
     * The MembershipService service which generated this credential.
     *
     * XXX 20030609 bondolo@jxta.org Perhaps this should be a weak reference.
     **/
    private PSEMembershipService source;
    
    /**
     * The peer group associated with this credential.
     **/
    private ID peerGroupID = null;
    
    /**
     * The peerid associated with this credential.
     **/
    private ID peerID = null;
    
    /**
     *  The pse alias from which this credential was generated. Only locally
     *  created credentials will be intialized with a key ID.
     **/
    private ID keyID = null;
    
    /**
     * The identity associated with this credential
     **/
    private CertPath certs = null;
    
    /**
     *  The private key associated with this credential. Used for signing. Only
     *  a locally created credential will have an initialized private key.
     **/
    private PrivateKey privateKey = null;
    
    /**
     *  Optional Timer task
     **/
    private TimerTask becomesValidTask = null;
    private TimerTask expiresTask = null;
    
    /**
     *  Are we still a valid credential?
     **/
    private boolean valid = true;
    
    /**
     *   Is this a local credential?
     **/
    private final boolean local;
    
    /**
     *  property change support
     **/
    private PropertyChangeSupport support = new PropertyChangeSupport(this);
    
    /**
     *  Create a new local credential. This credential can be used for signing
     *  and can be serialized.
     **/
    protected PSECredential( PSEMembershipService source, ID keyID, CertPath certChain, PrivateKey privateKey ) throws IOException {
        this.source = source;
        this.peerID = source.group.getPeerID();
        this.peerGroupID = source.group.getPeerGroupID();
        setKeyID( keyID );
        setCertificateChain( certChain );
        setPrivateKey( privateKey );
        this.local = true;
    }
    
    /**
     *  Create a new remote credential. This credential cannot be used for
     *  signing and cannot be re-serialized.
     **/
    public PSECredential( Element root ) {
        this.local = false;
        initialize( root );
    }
    
    /**
     *  Create a new remote credential. This credential cannot be used for
     *  signing and cannot be re-serialized.
     **/
    public PSECredential( PSEMembershipService source, Element root ) {
        this.local = false;
        this.source = source;
        initialize( root );
        
       if( !peerGroupID.equals( source.group.getPeerGroupID() ) ) {
            throw new IllegalArgumentException( "Credential is from a different group. " + peerGroupID + " != " + source.group.getPeerGroupID() );
        }
    }
    
    /**
     *  {@inheritDoc}
     **/
    public boolean equals( Object target ) {
        
        if( this == target ) {
            return true;
        }
        
        if( target instanceof PSECredential ) {
            PSECredential asCred = (PSECredential) target;
            
            boolean result = peerID.equals( asCred.peerID ) &&
            source.group.getPeerGroupID().equals( asCred.source.group.getPeerGroupID() );
            
            result &= certs.equals( asCred.certs );
            
            return result;
        }
        
        return false;
    }
    
    /**
     *  {@inheritDoc}
     **/
    protected void finalize() throws Throwable {
        if( null != becomesValidTask ) {
            becomesValidTask.cancel();
        }
        
        if( null != expiresTask ) {
            expiresTask.cancel();
        }
        
        super.finalize();
    }
    
    /**
     *  {@inheritDoc}
     **/
    public int hashCode() {
        int result = peerID.hashCode() *
        source.group.getPeerGroupID().hashCode() *
        certs.hashCode();
        
        if( 0 == result  ) {
            result = 1;
        }
        
        return result;
    }
    
    /**
     *  {@inheritDoc}
     **/
    public String toString() {
        return "\"" + getSubject() + "\" " + getPeerID() + " [" + source + " / " + getPeerGroupID() + "]";
    }
    
    /**
     *  Add a listener
     *
     *  @param listener the listener
     **/
    public void addPropertyChangeListener( PropertyChangeListener listener ) {
        support.addPropertyChangeListener(listener );
    }
    
    /**
     *  Add a listener
     *
     *  @param propertyName the property to watch
     *  @param listener the listener
     **/
    public void addPropertyChangeListener( String propertyName, PropertyChangeListener listener ) {
        support.addPropertyChangeListener( propertyName, listener );
    }
    
    /**
     *  Remove a listener
     *
     *  @param listener the listener
     **/
    public void removePropertyChangeListener( PropertyChangeListener listener ) {
        support.removePropertyChangeListener( listener );
    }
    
    /**
     *  Remove a listener
     *
     *  @param propertyName the property which was watched
     *  @param listener the listener
     **/
    public void removePropertyChangeListener( String propertyName, PropertyChangeListener listener ) {
        support.removePropertyChangeListener( propertyName, listener );
    }
    
    /**
     * {@inheritDoc}
     **/
    public ID getPeerGroupID() {
        return peerGroupID;
    }
    
    /**
     * set the peer id associated with this credential
     **/
    private void setPeerGroupID( ID newID ) {
        this.peerGroupID = newID;
    }
    
    /**
     * {@inheritDoc}
     **/
    public ID getPeerID() {
        return peerID;
    }
    
    /**
     * set the peer id associated with this credential
     **/
    private void setPeerID( PeerID peerID ) {
        this.peerID = peerID;
    }
    
    /**
     * {@inheritDoc}
     *
     * <p/>A PSE Credential is valid as long as the associated certificate is
     * valid.
     **/
    public boolean isExpired() {
        try {
            ((X509Certificate) certs.getCertificates().get(0)).checkValidity();
            return false;
        } catch ( CertificateExpiredException expired ) {
            return true;
        } catch ( CertificateNotYetValidException notyet ) {
            return true;
        }
    }
    
    /**
     * {@inheritDoc}
     *
     * <p/>A PSE Credential is valid as long as the associated certificate is
     * valid and as long as the membership service still has the credential.
     **/
    public boolean isValid() {
        return valid && !isExpired();
    }
    
    /**
     * {@inheritDoc}
     *
     * <p/>A PSE Credential is valid as long as the associated certificate is
     * valid.
     **/
    void setValid( boolean valid ) {
        boolean oldValid = isValid();
        this.valid = valid;