pseutils.java

JXTA&#8482 is a set of open, generalized peer-to-peer (P2P) protocols that allow any networked devi

/*
 * Copyright (c) 2001-2007 Sun Microsystems, Inc.  All rights reserved.
 *  
 *  The Sun Project JXTA(TM) Software License
 *  
 *  Redistribution and use in source and binary forms, with or without 
 *  modification, are permitted provided that the following conditions are met:
 *  
 *  1. Redistributions of source code must retain the above copyright notice,
 *     this list of conditions and the following disclaimer.
 *  
 *  2. Redistributions in binary form must reproduce the above copyright notice, 
 *     this list of conditions and the following disclaimer in the documentation 
 *     and/or other materials provided with the distribution.
 *  
 *  3. The end-user documentation included with the redistribution, if any, must 
 *     include the following acknowledgment: "This product includes software 
 *     developed by Sun Microsystems, Inc. for JXTA(TM) technology." 
 *     Alternately, this acknowledgment may appear in the software itself, if 
 *     and wherever such third-party acknowledgments normally appear.
 *  
 *  4. The names "Sun", "Sun Microsystems, Inc.", "JXTA" and "Project JXTA" must 
 *     not be used to endorse or promote products derived from this software 
 *     without prior written permission. For written permission, please contact 
 *     Project JXTA at http://www.jxta.org.
 *  
 *  5. Products derived from this software may not be called "JXTA", nor may 
 *     "JXTA" appear in their name, without prior written permission of Sun.
 *  
 *  THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES,
 *  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND 
 *  FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL SUN 
 *  MICROSYSTEMS OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 
 *  INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 
 *  LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, 
 *  OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 
 *  LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 
 *  NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, 
 *  EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 *  
 *  JXTA is a registered trademark of Sun Microsystems, Inc. in the United 
 *  States and other countries.
 *  
 *  Please see the license information page at :
 *  <http://www.jxta.org/project/www/license.html> for instructions on use of 
 *  the license in source files.
 *  
 *  ====================================================================
 *  
 *  This software consists of voluntary contributions made by many individuals 
 *  on behalf of Project JXTA. For more information on Project JXTA, please see 
 *  http://www.jxta.org.
 *  
 *  This license is based on the BSD license adopted by the Apache Foundation. 
 */

package net.jxta.impl.membership.pse;


import net.jxta.impl.util.BASE64InputStream;
import net.jxta.impl.util.BASE64OutputStream;
import net.jxta.logging.Logging;
import org.bouncycastle.asn1.x509.X509NameTokenizer;
import org.bouncycastle.asn1.DERObjectIdentifier;
import org.bouncycastle.jce.X509Principal;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.x509.X509V3CertificateGenerator;

import javax.crypto.Cipher;
import javax.crypto.EncryptedPrivateKeyInfo;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.PBEParameterSpec;
import javax.security.auth.x500.X500Principal;
import java.io.BufferedReader;
import java.io.BufferedWriter;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.Reader;
import java.io.StringReader;
import java.io.StringWriter;
import java.math.BigInteger;
import java.security.AlgorithmParameters;
import java.security.InvalidKeyException;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.Provider;
import java.security.SecureRandom;
import java.security.Security;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.KeySpec;
import java.util.Calendar;
import java.util.Date;
import java.util.Hashtable;
import java.util.logging.Level;
import java.util.logging.Logger;


/**
 * Singleton class of static utility methods.
 */
public final class PSEUtils {

    /**
     * Logger
     */
    private static final transient Logger LOG = Logger.getLogger(PSEUtils.class.getName());

    /**
     * Singleton instance.
     */
    private static final PSEUtils UTILS = new PSEUtils();

    /**
     * A SecureRandom for generating keys.
     */
    final transient SecureRandom srng = new SecureRandom();

    /**
     * Singleton utility class
     */
    private PSEUtils() {

        try {
            ClassLoader sysloader = ClassLoader.getSystemClassLoader();

            Class<?> loaded = sysloader.loadClass(BouncyCastleProvider.class.getName());

            Provider provider = (Provider) loaded.newInstance();

            Security.addProvider(provider);

            if (Logging.SHOW_INFO && LOG.isLoggable(Level.INFO)) {
                LOG.info("Loaded Security Providers into system class loader");
            }
        } catch (Exception disallowed) {
            if (Logging.SHOW_WARNING && LOG.isLoggable(Level.WARNING)) {
                LOG.log(Level.WARNING,
                        "Failed loading Security Providers into System Class Loader. Will try local class loader (which may not work)",
                        disallowed);
            }

            // Add the providers we use.
            Security.addProvider(new BouncyCastleProvider());

            if (Logging.SHOW_INFO && LOG.isLoggable(Level.INFO)) {
                LOG.info("Loaded Security Providers into local class loader");
            }
        }

        // Provider [] providers = Security.getProviders();
        // Iterator eachProvider = Arrays.asList(providers).iterator();
        //
        // while (eachProvider.hasNext()) {
        // Provider aProvider = (Provider) eachProvider.next();
        //
        // System.out.println("\n\n" + aProvider.getName() + " - " + aProvider.getVersion() + " - " + aProvider.getInfo());
        //
        // Iterator allMappings = aProvider.entrySet().iterator();
        //
        // while (allMappings.hasNext()) {
        // Map.Entry aMapping = (Map.Entry) allMappings.next();
        //
        // Object key = aMapping.getKey();
        // System.out.println(key + " (" + key.getClass().getName() + ") --> " + aMapping.getValue() + " (" + key.getClass().getName() + ")");
        // }
        // }
    }

    /**
     * Issuer Information
     */
    public static class IssuerInfo {
        public X509Certificate cert; // subject Cert
        public PrivateKey subjectPkey; // subject private key
        public X509Certificate issuer; // issuer Cert
        public PrivateKey issuerPkey; // issuer private key
    }

    /**
     * Generate a Cert
     *
     * @param cn         subject cn for the certificate
     * @param issuerinfo the cert issuer or null if self-signed root cert.
     * @return the details of the generated cert.
     * @throws SecurityException if the cert could not be generated.
     */
    public static IssuerInfo genCert(String cn, IssuerInfo issuerinfo) throws SecurityException {
        try {
            String useCN;

            if (null == issuerinfo) {
                if (Logging.SHOW_FINE && LOG.isLoggable(Level.FINE)) {
                    LOG.fine("Generating Self Signed Cert ...");
                }

                if (!cn.endsWith("-CA")) {
                    useCN = cn + "-CA";
                } else {
                    useCN = cn;
                }
            } else {
                if (Logging.SHOW_FINE && LOG.isLoggable(Level.FINE)) {
                    LOG.fine("Generating Client Cert ...");
                }

                useCN = cn;
            }

            // set name attribute
            Hashtable<DERObjectIdentifier, String> attrs = new Hashtable<DERObjectIdentifier, String>();

            attrs.put(X509Principal.CN, useCN);
            attrs.put(X509Principal.O, "www.jxta.org");

            // XXX bondolo 20040405 wouldn't SN or UID be a better choice?
            // set ou to 20 random digits
            byte[] ou = new byte[10];

            UTILS.srng.nextBytes(ou);
            String ouStr = toHexDigits(ou);

            attrs.put(X509Principal.OU, ouStr);

            X509Principal subject = new X509Principal(attrs);
            X500Principal samesubject = new X500Principal(subject.getEncoded());
            KeyPairGenerator g = KeyPairGenerator.getInstance("RSA");

            g.initialize(1024, UTILS.srng);

            KeyPair keypair = g.generateKeyPair();

            return genCert(samesubject, keypair, issuerinfo);
        } catch (NoSuchAlgorithmException e) {
            if (Logging.SHOW_SEVERE && LOG.isLoggable(Level.SEVERE)) {
                LOG.log(Level.SEVERE, "Could not generate certificate", e);
            }
            SecurityException failure = new SecurityException("Could not generate certificate");

            failure.initCause(e);
            throw failure;
        }
    }

    /**
     * Generate a Cert given a keypair
     *
     * @param subject    subjectDN for the certificate
     * @param keypair    the keypair to use.
     * @param issuerinfo the cert issuer or null if self-signed root cert.
     * @return the details of the generated cert.
     * @throws SecurityException if the cert could not be generated.
     */
    public static IssuerInfo genCert(X500Principal subject, KeyPair keypair, IssuerInfo issuerinfo) throws SecurityException {
        try {
            // set up issuer
            PrivateKey signer;
            X509Principal issuer;

            if (null == issuerinfo) { // self-signed root cert
                signer = keypair.getPrivate();
                issuer = new X509Principal(subject.getEncoded());
            } else { // issuer signed service sert
                signer = issuerinfo.subjectPkey;
                X500Principal issuer_subject = issuerinfo.cert.getSubjectX500Principal();

                issuer = new X509Principal(issuer_subject.getEncoded());
            }

            // set validity 10 years from today
            Date today = new Date();
            Calendar cal = Calendar.getInstance();

            cal.setTime(today);
            cal.add(Calendar.YEAR, 10);
            Date until = cal.getTime();

            // generate cert
            X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();

            certGen.setIssuerDN(issuer);
            certGen.setSubjectDN(new X509Principal(subject.getEncoded()));
            certGen.setNotBefore(today);
            certGen.setNotAfter(until);
            certGen.setPublicKey(keypair.getPublic());
            // certGen.setSignatureAlgorithm("SHA1withDSA");
            certGen.setSignatureAlgorithm("SHA1WITHRSA");
            // FIXME bondolo 20040317 needs fixing.
            certGen.setSerialNumber(BigInteger.valueOf(1));

            // return issuer info for generating service cert
            IssuerInfo info = new IssuerInfo();

            // the cert
            info.cert = certGen.generateX509Certificate(signer, UTILS.srng);

            // For saving service cert private key
            info.subjectPkey = keypair.getPrivate();

            // for signing service cert
            info.issuer = (null == issuerinfo) ? info.cert : issuerinfo.cert;

            // for signing service cert
            info.issuerPkey = signer;

            // dump the certificate?
            if (Logging.SHOW_FINE && LOG.isLoggable(Level.FINE)) {
                if (null == issuer) {
                    LOG.fine("Root Cert : \n" + info.cert.toString());
                } else {
                    LOG.fine("Client Cert : \n" + info.cert.toString());
                }
            }

            return info;
        } catch (SignatureException e) {
            if (Logging.SHOW_SEVERE && LOG.isLoggable(Level.SEVERE)) {
                LOG.log(Level.FINE, "Could not generate certificate", e);
            }

            SecurityException failure = new SecurityException("Could not generate certificate");

            failure.initCause(e);
            throw failure;
        } catch (InvalidKeyException e) {
            if (Logging.SHOW_SEVERE && LOG.isLoggable(Level.SEVERE)) {
                LOG.log(Level.FINE, "Could not generate certificate", e);
            }

            SecurityException failure = new SecurityException("Could not generate certificate");

            failure.initCause(e);
            throw failure;
        } catch (IOException e) {
            if (Logging.SHOW_SEVERE && LOG.isLoggable(Level.SEVERE)) {
                LOG.log(Level.FINE, "Could not generate certificate", e);
            }

            SecurityException failure = new SecurityException("Could not generate certificate");

            failure.initCause(e);
            throw failure;
        }
    }

    /**
     * return the CN token from the provided cert's subjectDN
     *
     * @param cert the certificate to examine
     * @return the CN name or null if none could be found.
     */
    public static String getCertSubjectCName(X509Certificate cert) {

        // get the subject dname
        X500Principal subject = cert.getSubjectX500Principal();

        X509NameTokenizer tokens = new X509NameTokenizer(subject.getName());

        // iterate over the attributes of the dname
        while (tokens.hasMoreTokens()) {
            String aToken = tokens.nextToken();

            if (aToken.length() < 3) {
                continue;
            }

            String attribute = aToken.substring(0, 3);

            if ("CN=".equalsIgnoreCase(attribute)) {
                return aToken.substring(3);
            }
        }

        return null;
    }

    /**
     * return the CN token from the provided cert's issuerDN
     *
     * @param cert the certificate to examine
     * @return the CN name or null if none could be found.
     */
    public static String getCertIssuerCName(X509Certificate cert) {

        // get the subject dname
        X500Principal issuer = cert.getIssuerX500Principal();

        X509NameTokenizer tokens = new X509NameTokenizer(issuer.getName());

        // iterate over the attributes of the dname
        while (tokens.hasMoreTokens()) {
            String aToken = tokens.nextToken();

            if (aToken.length() < 3) {
                continue;
            }

            String attribute = aToken.substring(0, 3);

            if ("CN=".equalsIgnoreCase(attribute)) {
                return aToken.substring(3);
            }
        }

        return null;
    }

    /**
     * Compute the signature of a stream.
     *
     * @param key    the private key used to sign the stream
     * @param stream the stream to sign.
     * @return byte[] the signature
     */
    public static byte[] computeSignature(String algorithm, PrivateKey key, InputStream stream) throws InvalidKeyException, SignatureException, IOException {
        Signature sign;

        try {
            sign = Signature.getInstance(algorithm);
        } catch (NoSuchAlgorithmException badsigner) {
            throw new IOException("Could not initialize signer with algorithm " + algorithm);
        }
        sign.initSign(key, UTILS.srng);

        byte[] buffer = new byte[1024];

        while (true) {
            int read = stream.read(buffer);