📄 rolebasedacparser.java
字号:
* ParsedToken and the original object in it.
*
* <p>If the X.509
* Attribute Certificate to be decoded contains an attribute with the OID
* matching one of the role types defined in the RoleHierarchyPolicy, all
* the
* values are assumed to be Printable Strings. Among these values the ones
* not mentioned in the RoleHierarchyPolicy are ignored; the known values
* are mapped into the role hierarchy, so that the resulting Credentials
* contained in the ParsedToken can be compared.
*
* <p>The attributes with OID not mentioned in the RoleHierarchyPolicy are
* ignored.
*
* <p>If an unknown critical extension is encountered, parsing of the AC
* fails.
*
* <p>If the AC contains a noAssertion extension, the ParsedToken's
* Credentials will be an empty set (but the delegatable Credentials may not
* be an empty set).
*
* <p>If the AC contains a basicAttributeConstraints extension, the result
* will be a DelegatableToken with the delegatable Credentials set to the
* set of Credentials contained in the AC. It will be the same as the
* assertable Credentials, if no noAssertion extension is there. The depth
* of delegation in the DelegatableToken will be the value of the
* basicAttributeContraints cast to a 32 bit non-negative number (should be
* enough to express any delegation tree in the world) with the same
* semantics as in basicAttributeConstraints, or "-1", if unconstrained
* delegation is allowed by the extension (no delegation depth was
* specified in the AC).
*
* @param acB a byte array of the BER-encoded X.509 AttributeCertificate
*
* @return the ParsedToken representing the Attribute Certificate
*
* @throws PbaException, if no Role Hierarchy Policy has been specified
* through the constructor or either of the methods, or if there was a
* problem when decoding the Authorisation Token
*/
public ParsedToken decode(Object acB) throws issrg.pba.PbaException{
if (roleHierarchy==null) throw new issrg.pba.PbaException("Failed to decode an AC: no Role Hierarchy was specified");
// If it has already been decoded
boolean bSignatureVerification=false;
if (acB instanceof ParsedToken) return (ParsedToken)acB;
issrg.ac.AttributeCertificate ac;
//if (acB instanceof byte[]){
Principal signer;
try{
ac = issrg.ac.AttributeCertificate.guessEncoding(acB);
// System.err.println(ac.toString());
signer = new LDAPDNPrincipal(issrg.ac.Util.generalNamesToString(ac.getACInfo().getIssuer().getV1Form()==null?ac.getACInfo().getIssuer().getV2Form().getIssuerName():ac.getACInfo().getIssuer().getV1Form()));
}catch (Throwable th){
throw new issrg.pba.PbaException("Couldn't decode the Attribute Certificate", th);
}
byte[] value;
byte[] signature;
String algorithmid;
Exception signatureVerificationFailed=null;
issrg.pba.rbac.ValidityPeriod vp = new issrg.pba.rbac.AbsoluteValidityPeriod(
ac.getACInfo().getValidityPeriod().getNotBefore().getTime().getTime(),
ac.getACInfo().getValidityPeriod().getNotAfter().getTime().getTime()
);
java.util.Vector attributes = ac.getACInfo().getAttributes();
java.util.Vector roles = new java.util.Vector();
for (int i=attributes.size(); i-->0;){
issrg.ac.Attribute att = (issrg.ac.Attribute)attributes.get(i);
String type = roleHierarchy.getTypeByOID(att.getType());
if (type!=null){ // aha! such a type has been registered. we know roles of this type
java.util.Vector av = att.getValues();
try{
for (int j=av.size(); j-->0;){
issrg.pba.rbac.RoleHierarchyNode rhn = roleHierarchy.getRole(type, new issrg.ac.attributes.PermisRole(
(issrg.ac.AttributeValue)av.get(j)
).getRoleValue()
);
//System.out.println("\t\textracting "+type+": "+(rhn==null?"null": rhn.getRoleValue())); //***********
if (rhn!=null){ // if null, then no such role has been found
roles.add(new issrg.pba.rbac.ExpirableCredentials(
new issrg.pba.rbac.PermisCredentials(rhn),
vp
)
);
}
}
}catch(iaik.asn1.CodingException ce){
// ignore malformed Attributes
}
}
}
Vector extensions = ac.getACInfo().getExtensions().getValues();
int numberOfExtension = extensions.size();
int depth=0;
issrg.pba.Credentials creds=new issrg.pba.rbac.SetOfSubsetsCredentials(roles);
issrg.pba.Credentials assertableCredentials=creds;
issrg.pba.Credentials delegateableCredentials=null;
ACUserEntry h = new ACUserEntry(ac);
TokenLocator issuerTokenLocator=null;
TokenLocator signerTokenLocator=null;
// the default Subject Domain is set to the whole world, excluding the Holder of the AC - the Holder can't delegate to himself
Subtree subjectDomain=new DITSubtree(LDAPDNPrincipal.WHOLE_WORLD_DN, 0, -1, null,
new Subtree[]{new DITSubtree(h.getDN(), 0, 0, null, null)});
Entry signerEntry = new SimpleEntry(signer);
for (int ii = 0; ii < numberOfExtension; ii++) {
Extension e = (Extension) extensions.get(ii);
if (e instanceof NoAssertion) {
assertableCredentials=NullCreds;
}
if (e instanceof BasicAttConstraint) {
delegateableCredentials=creds;
depth = ((BasicAttConstraint) e).getDepth(); //-1 for unlimited, 0 for 1 level, 2 for 2 level...
}
if (e instanceof AttributeAuthorityInformationAccess){
AttributeRepository rep = PermisRBAC.getRepositories(((AttributeAuthorityInformationAccess)e).getLocations());
issuerTokenLocator = new EntryLocator(signerEntry, LDAPDNPrincipal.WHOLE_WORLD_DN, rep, issuerTokenLocator);
}
// when Subject Domain extension is supported, insert code here to modify subjectDomain
if (e.getClass().equals(Extension.class) && e.isCritical()){
// it wasn't parsed using a special class, so it is an unsupported critical extension
// ignore the extracted attributes, but don't complain
assertableCredentials=NullCreds;
delegateableCredentials=null;
break; // no point looking through the AC anymore
}
}
if (signerTokenLocator==null) signerTokenLocator=issuerTokenLocator;
// add the default locators too - the DN without any Repository attached to it
issuerTokenLocator=new EntryLocator(signerEntry, signer, null, issuerTokenLocator);
signerTokenLocator=new EntryLocator(signerEntry, signer, null, signerTokenLocator);
// no harm passing delegatable credentials and a depth. If BasicAttConstraint
// extension is present, the delegatableCredentials is not an empty set
// and depth is meaningful. Otherwise delegatableCredentials is an empty set.
ParsedToken p;
if (delegateableCredentials!=null){
p=new DefaultDelegatableToken(h, issuerTokenLocator, assertableCredentials, delegateableCredentials, subjectDomain, depth);
}else{
p=new DefaultParsedToken(h, issuerTokenLocator, assertableCredentials);
}
try{
// because the AC has been successfully decode previously, acB must be a byte array
value=issrg.ac.AttributeCertificate.getToBeSignedByteArray((byte[])acB);
signature=(byte[]) ac.getSignatureValue().getValue();
//algorithmid=ac.getSignatureAlgorithm().toString();
algorithmid=ac.getSignatureAlgorithm().getAlgorithm().getID();
if (SV == null) // no signature verfication is needed
bSignatureVerification = true;
else // the signature verification process is needed
bSignatureVerification=SV.checkSignature(value,signature,algorithmid,signerTokenLocator);
if(bSignatureVerification==false){
//signature verification fails...
throw new issrg.pba.PbaException("Signature verification failed");
}
}catch(Exception e){
signatureVerificationFailed=e; // now we won't throw the exception just yet - wait for the token to be decoded
}
// now if signature verification failed, we will throw the exception
// with the successfully decoded AC in it; some intelligent code may find it useful
if (signatureVerificationFailed!=null) throw new SignatureVerificationFailedException(signatureVerificationFailed, p, acB);
return p;
}
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -