psecredential.java

JXTA&#8482 is a set of open, generalized peer-to-peer (P2P) protocols that allow any networked devi

/*
 * Copyright (c) 2001-2007 Sun Microsystems, Inc.  All rights reserved.
 *  
 *  The Sun Project JXTA(TM) Software License
 *  
 *  Redistribution and use in source and binary forms, with or without 
 *  modification, are permitted provided that the following conditions are met:
 *  
 *  1. Redistributions of source code must retain the above copyright notice,
 *     this list of conditions and the following disclaimer.
 *  
 *  2. Redistributions in binary form must reproduce the above copyright notice, 
 *     this list of conditions and the following disclaimer in the documentation 
 *     and/or other materials provided with the distribution.
 *  
 *  3. The end-user documentation included with the redistribution, if any, must 
 *     include the following acknowledgment: "This product includes software 
 *     developed by Sun Microsystems, Inc. for JXTA(TM) technology." 
 *     Alternately, this acknowledgment may appear in the software itself, if 
 *     and wherever such third-party acknowledgments normally appear.
 *  
 *  4. The names "Sun", "Sun Microsystems, Inc.", "JXTA" and "Project JXTA" must 
 *     not be used to endorse or promote products derived from this software 
 *     without prior written permission. For written permission, please contact 
 *     Project JXTA at http://www.jxta.org.
 *  
 *  5. Products derived from this software may not be called "JXTA", nor may 
 *     "JXTA" appear in their name, without prior written permission of Sun.
 *  
 *  THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES,
 *  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND 
 *  FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL SUN 
 *  MICROSYSTEMS OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 
 *  INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 
 *  LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, 
 *  OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 
 *  LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 
 *  NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, 
 *  EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 *  
 *  JXTA is a registered trademark of Sun Microsystems, Inc. in the United 
 *  States and other countries.
 *  
 *  Please see the license information page at :
 *  <http://www.jxta.org/project/www/license.html> for instructions on use of 
 *  the license in source files.
 *  
 *  ====================================================================
 *  
 *  This software consists of voluntary contributions made by many individuals 
 *  on behalf of Project JXTA. For more information on Project JXTA, please see 
 *  http://www.jxta.org.
 *  
 *  This license is based on the BSD license adopted by the Apache Foundation. 
 */

package net.jxta.impl.membership.pse;


import net.jxta.credential.Credential;
import net.jxta.credential.CredentialPCLSupport;
import net.jxta.document.Attributable;
import net.jxta.document.Attribute;
import net.jxta.document.Element;
import net.jxta.document.MimeMediaType;
import net.jxta.document.StructuredDocument;
import net.jxta.document.StructuredDocumentFactory;
import net.jxta.document.StructuredDocumentUtils;
import net.jxta.document.XMLDocument;
import net.jxta.document.XMLElement;
import net.jxta.exception.PeerGroupException;
import net.jxta.id.ID;
import net.jxta.id.IDFactory;
import net.jxta.logging.Logging;
import net.jxta.peer.PeerID;
import net.jxta.peergroup.PeerGroupID;
import net.jxta.service.Service;

import java.beans.PropertyChangeListener;
import java.beans.PropertyChangeSupport;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.SequenceInputStream;
import java.io.StringReader;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.InvalidKeyException;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertPath;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.security.cert.Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Date;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.List;
import java.util.Timer;
import java.util.TimerTask;
import java.util.logging.Level;
import java.util.logging.Logger;


/**
 * This class provides the sub-class of Credential which is associated with the
 * PSE membership service.
 * <p/>
 * There are two varients of the credential:
 * <p/>
 * <ul>
 * <li>local - Generated as a result of local login. This type of
 * credential can be used for signing and can be serialized for inclusion
 * in protocols.</li>
 * <li>remote - Generated as a result of deserialization from protocols.
 * The credential is verified to ensure that the contents are valid at the
 * time it is created.</li>
 * </ul>
 * <p/>
 * The schema for this credential format:
 * <p/>
 * <pre><code>
 *  &lt;xs:element name="PSECred" type="jxta:PSECred" />
 * <p/>
 *  &lt;xs:complexType name="PSECred">
 *    &lt;xs:sequence>
 *      &lt;xs:element name="PeerGroupID" type="jxta:JXTAID" />
 *      &lt;xs:element name="PeerID" type="jxta:JXTAID" />
 *      &lt;!-- An X.509 Certificate -->
 *      &lt;xs:element name="Certificate" type="xs:string" minOccurs="1" maxOccurs="unbounded" />
 *      &lt;!-- A SHA1WithRSA Signature -->
 *      &lt;xs:element name="Signature" type="xs:string" />
 *    &lt;/xs:sequence>
 *  &lt;/xs:complexType>
 *  &lt;/code></pre>
 * <p/>
 * FIXME 20050625 bondolo If the certificate chain for a credential is
 * updated in the PSE keystore after a credential is created then the
 * credential instance will not reflect those changes. This can be a problem if
 * the issuer chain changes or expiries are updated. Even though it's going to
 * be hit on performance PSECredential needs to changed to be backed by the PSE
 * keystore directly rather than containing the certs. Either that or some kind
 * of notification systems. It's probably best to assume that our simple cm
 * based keystore is the easiest and least dynamic case. Every other key store
 * is going to be more dynamic and difficult. The work around for now is to
 * force a membership resign everytime the keystore contents are changed.
 *
 * @see net.jxta.credential.Credential
 * @see net.jxta.impl.membership.pse.PSEMembershipService
 */
public final class PSECredential implements Credential, CredentialPCLSupport {

    /**
     * Logger
     */
    private static final Logger LOG = Logger.getLogger(PSECredential.class.getName());

    /**
     * A Timer we use for managing the cert expirations.
     */
    private static Timer expirationTimer = new Timer("PSECredential Expiration Timer", true);

    /**
     * The MembershipService service which generated this credential.
     * <p/>
     * XXX 20030609 bondolo@jxta.org Perhaps this should be a weak reference.
     */
    private PSEMembershipService source;

    /**
     * The peer group associated with this credential.
     */
    private ID peerGroupID = null;

    /**
     * The peerid associated with this credential.
     */
    private ID peerID = null;

    /**
     * The pse alias from which this credential was generated. Only locally
     * created credentials will be intialized with a key ID.
     */
    private ID keyID = null;

    /**
     * The identity associated with this credential
     */
    private CertPath certs = null;

    /**
     * The private key associated with this credential. Used for signing. Only
     * a locally created credential will have an initialized private key.
     */
    private PrivateKey privateKey = null;

    /**
     * Optional Timer task
     */
    private TimerTask becomesValidTask = null;
    private TimerTask expiresTask = null;

    /**
     * Are we still a valid credential?
     */
    private boolean valid = true;

    /**
     * Is this a local credential?
     */
    private final boolean local;

    /**
     * property change support
     */
    private PropertyChangeSupport support = new PropertyChangeSupport(this);

    /**
     * Create a new local credential. This credential can be used for signing
     * and can be serialized.
     */
    protected PSECredential(PSEMembershipService source, ID keyID, CertPath certChain, PrivateKey privateKey) throws IOException {
        this.source = source;
        this.peerID = source.group.getPeerID();
        this.peerGroupID = source.group.getPeerGroupID();
        setKeyID(keyID);
        setCertificateChain(certChain);
        setPrivateKey(privateKey);
        this.local = true;
    }

    /**
     * Create a new remote credential. This credential cannot be used for
     * signing and cannot be re-serialized.
     */
    public PSECredential(Element root) {
        this.local = false;
        initialize(root);
    }

    /**
     * Create a new remote credential. This credential cannot be used for
     * signing and cannot be re-serialized.
     */
    public PSECredential(PSEMembershipService source, Element root) {
        this.local = false;
        this.source = source;
        initialize(root);

        if (!peerGroupID.equals(source.group.getPeerGroupID())) {
            throw new IllegalArgumentException(
                    "Credential is from a different group. " + peerGroupID + " != " + source.group.getPeerGroupID());
        }
    }

    /**
     * {@inheritDoc}
     */
    @Override
    public boolean equals(Object target) {

        if (this == target) {
            return true;
        }

        if (target instanceof PSECredential) {
            PSECredential asCred = (PSECredential) target;

            boolean result = peerID.equals(asCred.peerID)
                    && source.group.getPeerGroupID().equals(asCred.source.group.getPeerGroupID());

            result &= certs.equals(asCred.certs);

            return result;
        }

        return false;
    }

    /**
     * {@inheritDoc}
     */
    @Override
    protected void finalize() throws Throwable {
        if (null != becomesValidTask) {
            becomesValidTask.cancel();
        }

        if (null != expiresTask) {
            expiresTask.cancel();
        }

        super.finalize();
    }

    /**
     * {@inheritDoc}
     */
    @Override
    public int hashCode() {
        int result = peerID.hashCode() * source.group.getPeerGroupID().hashCode() * certs.hashCode();

        if (0 == result) {
            result = 1;
        }

        return result;
    }

    /**
     * {@inheritDoc}
     */
    @Override
    public String toString() {
        return "\"" + getSubject() + "\" " + getPeerID() + " [" + source + " / " + getPeerGroupID() + "]";
    }

    /**
     * Add a listener
     *
     * @param listener the listener
     */
    public void addPropertyChangeListener(PropertyChangeListener listener) {
        support.addPropertyChangeListener(listener);
    }

    /**
     * Add a listener
     *
     * @param propertyName the property to watch
     * @param listener     the listener
     */
    public void addPropertyChangeListener(String propertyName, PropertyChangeListener listener) {
        support.addPropertyChangeListener(propertyName, listener);
    }

    /**
     * Remove a listener
     *
     * @param listener the listener
     */
    public void removePropertyChangeListener(PropertyChangeListener listener) {
        support.removePropertyChangeListener(listener);
    }

    /**
     * Remove a listener
     *
     * @param propertyName the property which was watched
     * @param listener     the listener
     */
    public void removePropertyChangeListener(String propertyName, PropertyChangeListener listener) {
        support.removePropertyChangeListener(propertyName, listener);
    }

    /**
     * {@inheritDoc}
     */
    public ID getPeerGroupID() {
        return peerGroupID;
    }

    /**
     * set the peer id associated with this credential
     */
    private void setPeerGroupID(ID newID) {
        this.peerGroupID = newID;
    }

    /**
     * {@inheritDoc}
     */
    public ID getPeerID() {
        return peerID;
    }

    /**
     * set the peer id associated with this credential
     */
    private void setPeerID(PeerID peerID) {
        this.peerID = peerID;
    }

    /**
     * {@inheritDoc}
     * <p/>
     * A PSE Credential is valid as long as the associated certificate is
     * valid.
     */
    public boolean isExpired() {
        try {
            ((X509Certificate) certs.getCertificates().get(0)).checkValidity();
            return false;
        } catch (CertificateExpiredException expired) {
            return true;
        } catch (CertificateNotYetValidException notyet) {
            return true;
        }
    }

    /**
     * {@inheritDoc}
     * <p/>
     * A PSE Credential is valid as long as the associated certificate is
     * valid and as long as the membership service still has the credential.
     */
    public boolean isValid() {
        return valid && !isExpired();
    }

    /**
     * {@inheritDoc}
     * <p/>
     * A PSE Credential is valid as long as the associated certificate is
     * valid.
     */
    void setValid(boolean valid) {
        boolean oldValid = isValid();

        this.valid = valid;

        if (oldValid != valid) {
            support.firePropertyChange("valid", oldValid, valid);