ptbsignatureverifier.java

一个完整的XACML工程,学习XACML技术的好例子!

/*
* Copyright (c) 2006, University of Kent
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without 
* modification, are permitted provided that the following conditions are met:
*
* Redistributions of source code must retain the above copyright notice, this 
* list of conditions and the following disclaimer.
* 
* Redistributions in binary form must reproduce the above copyright notice, 
* this list of conditions and the following disclaimer in the documentation 
* and/or other materials provided with the distribution. 
*
* 1. Neither the name of the University of Kent nor the names of its 
* contributors may be used to endorse or promote products derived from this 
* software without specific prior written permission. 
*
* 2. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS  
* IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
* THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 
* PURPOSE ARE DISCLAIMED. 
*
* 3. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
* POSSIBILITY OF SUCH DAMAGE.
*
* 4. YOU AGREE THAT THE EXCLUSIONS IN PARAGRAPHS 2 AND 3 ABOVE ARE REASONABLE
* IN THE CIRCUMSTANCES.  IN PARTICULAR, YOU ACKNOWLEDGE (1) THAT THIS
* SOFTWARE HAS BEEN MADE AVAILABLE TO YOU FREE OF CHARGE, (2) THAT THIS
* SOFTWARE IS NOT "PRODUCT" QUALITY, BUT HAS BEEN PRODUCED BY A RESEARCH
* GROUP WHO DESIRE TO MAKE THIS SOFTWARE FREELY AVAILABLE TO PEOPLE WHO WISH
* TO USE IT, AND (3) THAT BECAUSE THIS SOFTWARE IS NOT OF "PRODUCT" QUALITY
* IT IS INEVITABLE THAT THERE WILL BE BUGS AND ERRORS, AND POSSIBLY MORE
* SERIOUS FAULTS, IN THIS SOFTWARE.
*
* 5. This license is governed, except to the extent that local laws
* necessarily apply, by the laws of England and Wales.
*/
package issrg.test.ptb;


import iaik.x509.X509Certificate;
import iaik.asn1.ObjectID;
import iaik.security.rsa.Md5RSASignature;
import iaik.security.rsa.ShaRSASignature;

import java.util.Hashtable;
import java.io.FileInputStream;

/**
* This class implements the SignatureVerifier interface and provides the following mechanisms:
 * <p>
 * <ul>
 * <li> Verification of the self-signed CA certificate
 * <li> Veritication of the X.509 identity certificates related to the different SOAs involved in
 * the application scenario
 * <li> Verification of the digital signature of the different attribute certificates related to
 * end users. Those certificates are checked using the public key contained in the X.509 identity certificate
 * related to the corresponding SOA.
 * </ul>
 * <p>
 * This class assumes that:
 * <p>
 * <ul>
 * <li> Identity certificates of the different SOAs are issued by the self-signed CA (no subordinate CAs are used)
 * <li> SOAs are the only issuers of the ACs (no subordinate AAs are used)
 * </ul>
 *
 * @author O Canovas
 * @author O Otenko
 * @version 0.1
*/
public class PTBSignatureVerifier implements issrg.pba.rbac.SignatureVerifier {

    protected X509Certificate caCertificate = null;
    protected Hashtable soaCerts = null; //Hash table containing the identity certificates of the SOAs

    /**
     * Constructs a PTBSignatureVerifier. It has no parameters, and
     * its main function is to initialise the hash table.
     */
    public PTBSignatureVerifier() {
        soaCerts = new Hashtable();
    }

    /**
     * Gets the CA certificate and validates the signature.
     * @param file is the file containing the certificate
     * @return true if the certificate was successfully read and validated
     */
    public boolean setCACertificate(String file) {
        try {
            FileInputStream fis = new FileInputStream(file);
            caCertificate = new iaik.x509.X509Certificate(fis);
            caCertificate.verify();
            return true;
        }
        catch (Exception e) {
            e.printStackTrace();
            return false;
        }
    }

    /**
     * Gets a new SOA certificate and inserts it in the hash table.
     * @param file is the file containing the certificate
     * @return true if the certificate was successfully read and validated
     */
    public boolean addSOACertificate(String file) {
        X509Certificate soaCert;
        try {
            soaCert = new X509Certificate(new FileInputStream(file));
            try {
                soaCert.verify(caCertificate.getPublicKey());
            }
            catch (Exception e) {
                e.printStackTrace();
                System.out.println("The certificate contained in " + file + " cannot be validated");
                return true;
            }
            //Indexed by subject DN
            soaCerts.put(soaCert.getSubjectDN().getName(),soaCert);
            return true;
        }
        catch (Exception e) {
            e.printStackTrace();
            return false;
        }
    }


    /**
     * Checks if the <code>signature</code> for the given <code>value</code> has been signed by
     * the <code>signer</code>. This method does not perform any kind of verification related to revocations
     * (CRLs, OCSP queries). This method fetches the public key certificate of the signer, and follows
     * the certification path back to its root of trust, that is, Signer -> SOA -> CA.
     *
     * @param value is the byte array that had been signed
     * @param signature is the byte array of the resulting signature
     * @param algorithmID is the String representation (dotted form) of the
     *    object identifier of the algorithm used for signing
     * @param signer is the Principal of the signer
     *
     * @return true, if there is a valid PKI token, which proves the
     *    signature is valid; false otherwise
     */
	public boolean checkSignature(byte[] value, byte[] signature,
                                String algorithmID, issrg.utils.repository.TokenLocator signer) {
        boolean signatureVerified = false;
        java.security.Signature verificator = null;
        //First, we get the name related to the Algorithm identifier
        String name = ObjectID.getRegisteredName(algorithmID).intern();
        //Then, we check the name in order to instantiate the right class
        if (name == "md5WithRSAEncryption")
            verificator = new Md5RSASignature();
        else if (name == "sha1WithRSAEncryption")
            verificator = new ShaRSASignature();
        //Next, we obtain the SOA's certificate
        X509Certificate soa = (X509Certificate) soaCerts.get(signer.getEntry().getEntryName().getName());
        if (soa == null) return false;
        try {
            //Finally, we verify the digital signature...
            verificator.initVerify(soa);
            verificator.update(value);
            signatureVerified = verificator.verify(signature);
        }
        catch (Exception e)
        {
            e.printStackTrace();
            signatureVerified = false;
        }
        //...and the result is returned.
        return signatureVerified;
	}
}