Clover Coverage Report
Coverage timestamp: Sun Mar 23 2008 08:24:39 GMT
659   1,201   162   18.31
266   908   0.3   18
36     5.47  
2    
 
 
  DISTestNew       Line # 127 637 160 50.8% 0.5081081
  DISTestNew.DepthsCreds       Line # 1152 22 3 47.2% 0.4722222
 
  (1)
 
1    /*
2    * Copyright (c) 2000-2005, University of Salford
3    * All rights reserved.
4    *
5    * Redistribution and use in source and binary forms, with or without
6    * modification, are permitted provided that the following conditions are met:
7    *
8    * Redistributions of source code must retain the above copyright notice, this
9    * list of conditions and the following disclaimer.
10    *
11    * Redistributions in binary form must reproduce the above copyright notice,
12    * this list of conditions and the following disclaimer in the documentation
13    * and/or other materials provided with the distribution.
14    *
15    * Neither the name of the University of Salford nor the names of its
16    * contributors may be used to endorse or promote products derived from this
17    * software without specific prior written permission.
18    *
19    * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20    * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21    * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22    * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
23    * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
24    * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
25    * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
26    * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
27    * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
28    * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29    * POSSIBILITY OF SUCH DAMAGE.
30    */
31   
32    /*
33    * Copyright (c) 2006, University of Kent
34    * All rights reserved.
35    *
36    * Redistribution and use in source and binary forms, with or without
37    * modification, are permitted provided that the following conditions are met:
38    *
39    * Redistributions of source code must retain the above copyright notice, this
40    * list of conditions and the following disclaimer.
41    *
42    * Redistributions in binary form must reproduce the above copyright notice,
43    * this list of conditions and the following disclaimer in the documentation
44    * and/or other materials provided with the distribution.
45    *
46    * 1. Neither the name of the University of Kent nor the names of its
47    * contributors may be used to endorse or promote products derived from this
48    * software without specific prior written permission.
49    *
50    * 2. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
51    * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
52    * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
53    * PURPOSE ARE DISCLAIMED.
54    *
55    * 3. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
56    * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
57    * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
58    * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
59    * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
60    * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
61    * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
62    * POSSIBILITY OF SUCH DAMAGE.
63    *
64    * 4. YOU AGREE THAT THE EXCLUSIONS IN PARAGRAPHS 2 AND 3 ABOVE ARE REASONABLE
65    * IN THE CIRCUMSTANCES. IN PARTICULAR, YOU ACKNOWLEDGE (1) THAT THIS
66    * SOFTWARE HAS BEEN MADE AVAILABLE TO YOU FREE OF CHARGE, (2) THAT THIS
67    * SOFTWARE IS NOT "PRODUCT" QUALITY, BUT HAS BEEN PRODUCED BY A RESEARCH
68    * GROUP WHO DESIRE TO MAKE THIS SOFTWARE FREELY AVAILABLE TO PEOPLE WHO WISH
69    * TO USE IT, AND (3) THAT BECAUSE THIS SOFTWARE IS NOT OF "PRODUCT" QUALITY
70    * IT IS INEVITABLE THAT THERE WILL BE BUGS AND ERRORS, AND POSSIBLY MORE
71    * SERIOUS FAULTS, IN THIS SOFTWARE.
72    *
73    * 5. This license is governed, except to the extent that local laws
74    * necessarily apply, by the laws of England and Wales.
75    */
76   
77   
78    package issrg.test.ds;
79   
80    /*
81    * UserSide.java
82    *
83    * Created on April 5, 2005, 3:53 PM
84    */
85   
86    import issrg.aef.SamplePKI;
87    import issrg.pba.rbac.LDAPDNPrincipal;
88    import issrg.pba.rbac.policies.*;
89    import issrg.pba.repository.*;
90    import java.util.Map;
91    import java.util.Hashtable;
92    import java.util.Enumeration;
93    import java.util.Vector;
94    import java.io.BufferedReader;
95    import java.io.InputStreamReader;
96    import java.io.FileInputStream;
97    import java.io.FileNotFoundException;
98    import java.io.IOException;
99    import java.util.Date;
100    import java.util.GregorianCalendar;
101    import java.math.BigInteger;
102    import iaik.asn1.*;
103    import iaik.asn1.structures.*;
104    import issrg.dis.Comm;
105    import issrg.pba.rbac.SetOfSubsetsCredentials;
106    import issrg.pba.rbac.ExpirableCredentials;
107    import issrg.pba.rbac.AbsoluteValidityPeriod;
108    import issrg.pba.ParsedToken;
109    import issrg.pba.DelegatableToken;
110    import issrg.pba.*;
111    import issrg.pba.rbac.*;
112    import issrg.ac.*;
113    import issrg.ac.attributes.*;
114    //import org.apache.//log4j.//logger;
115    //import org.apache.//log4j.BasicConfigurator;
116   
117    /**
118    * This is the DIS java object. This object is used
119    * to check and issue ACs on behalf of other
120    * managers.
121    *
122    * <p>DIS java object will use PERMIS PDP to
123    * make sure that the issuer (manager) have enough
124    * privileges to issue an AC and the issuance of that AC
125    * must conform to delegation policy
126    */
 
127    public class DISTestNew/* extends issrg.dis.DIS */{
128   
129   
130    // static //logger //log = //logger.get//logger(DISTestNew.class);
131    // static org.apache.//log4j.Appender appender;
132    // static org.apache.//log4j.Layout layout = new org.apache.//log4j.PatternLayout("[%t] %-5p %c %x - %m%n");
133   
134    //configuration files
135    private static final String config_file = "dis.cfg";
136    private static final String serial_file = "serialnumber.cfg";
137    //use to read and write attribute certificate to LDAP
138    protected static String AC_attribute;
139    protected static String User_certificate;
140    private static final String SEPARATOR = "|";
141    private static final String DOUBLE_SEPARATOR = "||";
142    protected static final int CREDS = 0;
143    private static final int RULES = 1;
144   
145    //following parameters are readed from configuration file
146    private static String PKC;
147    protected static String SOA;
148    protected static String DIS;
149    public String OID;
150    private static String LDAP = null;
151    private static String rootDN;
152    private static String rootPass;
153    private static boolean downgradeable; //whether or not privileges for the requested AC can be downgraded based on the issuer's privileges and policy
154    private static String SIGN_KEY_PATH;
155    private static String SIGN_KEY_PASSWORD;
156    private static String DIS_AC_LOCATION = null;
157   
158    public static issrg.utils.repository.AttributeRepository r;
159    private static boolean NO_DOWNGRADE = false;
160   
161    private iaik.x509.X509Certificate x509;
162    private issrg.security.DefaultSecurity ds;
163    protected issrg.pba.rbac.SignatureVerifier sv = new SamplePKI();
164    private issrg.pba.PolicyParser pp;
165    VirtualLDAP ldapUtility;
166   
167    private issrg.security.DefaultSecurity signingUtility = new issrg.security.PKCS12Security();
168    private Map roleTypes;// = new Hashtable();
169    SetOfSubsetsCredentials emptyCreds = new SetOfSubsetsCredentials();
170    private final static String NO_DELEGATION="-1";
171    private static final String SEPARATOR_APACHE = ",";
172    private static final String SPACE = " ";
173    private boolean verbose;
174    // private issrg.pba.PolicyParser pp;
175    private RoleHierarchyPolicy roleHierarchyPolicy;
176    issrg.pba.AuthzTokenParser tokenParser;
177    issrg.pba.rbac.policies.AllocationPolicy allocationPolicy;
178    issrg.dis.DISRAPandParser policyFinder;
179    issrg.pba.rbac.RuleComparator comparator;
180   
181    issrg.ac.extensions.AttributeAuthorityInformationAccess aaia = null;
182    Vector trustedProxy = new Vector();
183    issrg.ac.attributes.AuthorityAttributeIdentifier aai = null;
184    issrg.simplePERMIS.SimplePERMISAuthzTokenRepository repository;
185    java.util.Vector soas = new java.util.Vector();
186   
187    String rootcaDN;
188    java.security.cert.X509Certificate signerPKC;
189    protected int virtualSerialNumber = 1;
190    GeneralNames DISGeneralNames;
191    IssuerSerial rootCASerial;
192    AlgorithmID signatureAlg;
193   
194    private static final String SATISFIED = "satisfied";
195   
196    private static final String CLIENTDN = "clientDN";
197    private static final String ISSUERDN = "issuerDN";
198    private static final String HOLDERDN = "holderDN";
199    private static final String IOBO = "issuedOnBehalfOf";
200    private static final String SERIAL = "serialNumber";
201    private static final String ROLETYPESVALUES = "roleTypesValues";
202    private static final String DELEGATION_DEPTH = "delegation depth";
203    private static final String NOT_BEFORE = "notBefore";
204    private static final String NOT_AFTER = "notAfter";
205    private static final String INDEX = "index";
206   
 
207  0 toggle public DISTestNew() throws Exception {
208   
209    }
 
210  1 toggle public DISTestNew(String path) throws Exception {
211  1 try {
212  1 readConfigFile(path);
213  1 SOA = issrg.utils.RFC2253NameParser.toCanonicalDN(SOA);
214  1 if (SOA == null) {
215  0 System.out.println("Error with SOA's DN");
216  0 System.exit(-1);
217    }
218   
219  1 String keyPath = path.substring(0, path.length());
220  1 String separator = System.getProperties().getProperty("file.separator");
221  1 keyPath = keyPath.concat(separator);
222  1 SIGN_KEY_PATH = keyPath.concat(SIGN_KEY_PATH);
223   
224  1 signingUtility.login(SIGN_KEY_PATH, SIGN_KEY_PASSWORD.toCharArray());
225  1 signerPKC = signingUtility.getVerificationCertificate();
226  1 DIS = issrg.utils.RFC2253NameParser.toCanonicalDN(signerPKC.getSubjectDN().getName());
227  1 if (DIS == null) {
228  0 throw new Exception("Error with DIS's signing key: DN of the key's holder is in correct format");
229    }
230  1 DIS = DIS.toUpperCase();
231  1 try {
232  1 rootcaDN = ((iaik.asn1.structures.Name) signerPKC.getIssuerDN()).getRFC2253String();
233    } catch (iaik.utils.RFC2253NameParserException rnpe) {
234  0 throw new Exception("Failed to decode DNs", rnpe);
235    }
236   
237  1 issrg.dis.LDAPUtility.AC_attribute=AC_attribute;
238  1 ldapUtility = new VirtualLDAP();
239  1 r = (issrg.utils.repository.AttributeRepository) ldapUtility;
240  1 initialize(r,path);
241  1 keyPath = path.substring(0, path.length());
242  1 keyPath = keyPath.concat(separator);
243  1 PKC = keyPath.concat(PKC);
244   
245  1 x509 = new iaik.x509.X509Certificate(new java.io.FileInputStream(PKC));
246  1 ds = new issrg.security.PKCS12Security();
247  1 ds.setRootCA(x509);
248  1 ds.setPKCRepository(new issrg.security.PKCRepository(r));
249  1 sv = new issrg.pba.rbac.SimpleSignatureVerifier(ds);
250   
251  1 CustomisePERMIS.setAttributeCertificateAttribute(AC_attribute);
252  1 CustomisePERMIS.setUserCertificateAttribute(User_certificate);
253  1 CustomisePERMIS.configureX509Flavour();
254    // CustomisePERMIS.registerACExtensions();
255  1 policyFinder = new issrg.dis.DISRAPandParser(r, OID, new LDAPDNPrincipal(SOA), sv, org.apache.log4j.Level.toLevel("OFF"));
256  1 pp = policyFinder.getPolicyPaser();
257  1 tokenParser = policyFinder.getAuthTokenParser();
258  1 allocationPolicy = policyFinder.getAllocationPolicy();
259  1 comparator = policyFinder.getComparator();
260  1 roleHierarchyPolicy = (issrg.pba.rbac.xmlpolicy.XMLPolicyParser.RoleHierarchyPolicyNode) ((issrg.pba.rbac.xmlpolicy.XMLPolicyParser) pp).getAuthTokenParsingRules().get(issrg.pba.rbac.RoleHierarchyPolicy.class);
261   
262   
263  1 java.util.Map mapSOAs = ((issrg.pba.rbac.xmlpolicy.XMLPolicyParser)pp).getSOAs();
264  1 boolean foundDISAsSOA = false;
265  1 java.util.Collection collectionSOAs = mapSOAs.values();
266  2 for (java.util.Iterator ite = collectionSOAs.iterator(); ite.hasNext();) {
267  1 soas.add(ite.next());
268    }
269  1 LDAPDNPrincipal disPrincipal = new LDAPDNPrincipal(DIS);
270  2 for (int i = 0; i < soas.size(); i++) {
271  1 LDAPDNPrincipal soaPrincipal = (LDAPDNPrincipal) soas.get(i);
272  1 if (soaPrincipal.equals(disPrincipal)) {
273  0 foundDISAsSOA = true;
274  0 break;
275    }
276    }
277   
278  1 if (!foundDISAsSOA) {
279  1 getDISSerials();
280  1 if (aai == null) {
281  0 throw new Exception("The DIS does not have any AC that can be used for delegation");
282    }
283    // String DIS_AC_LOCATION = new String(LDAP).concat("/").concat(DIS);
284    // aaia = new issrg.ac.attributes.AttributeAuthorityInformationAccess(new String[] {DIS_AC_LOCATION});
285    }
286   
287  1 readRoleTypes();
288   
289  1 DISGeneralNames = issrg.ac.Util.buildGeneralNames(DIS);
290  1 rootCASerial = new issrg.ac.IssuerSerial(issrg.ac.Util.buildGeneralNames(rootcaDN), signerPKC.getSerialNumber(), null);
291   
292  1 byte[] bt = signerPKC.getSigAlgParams();
293  1 ASN1Object algParams = bt == null ? null : iaik.asn1.DerCoder.decode(bt);
294  1 signatureAlg = new iaik.asn1.structures.AlgorithmID(new iaik.asn1.ObjectID(signingUtility.getSigningAlgorithmID()));
295  1 repository = new issrg.simplePERMIS.SimplePERMISAuthzTokenRepository(AC_attribute, ldapUtility, tokenParser);
296    } catch (Throwable th) {
297  0 throw new Exception("Error when initializing the Delegation Service");
298    //if (verbose) th.printStackTrace();
299    }
300    }
301   
 
302  0 toggle protected void initialize(issrg.utils.repository.AttributeRepository r, String path) {
303    //this method is used for testing purposes
304    }
305   
 
306  1 toggle private void getDISSerials() throws Exception {
307   
308  1 javax.naming.directory.Attribute attr;
309  1 try {
310  1 attr = ldapUtility.loadACs(DIS);
311  0 if (attr == null) return;
312   
313  1 int num = attr.size();
314  1 Vector disIssuerSerials = new Vector();
315  2 for (int i = 0; i < num; i++) {
316  1 byte[] acObject = (byte[]) attr.get(i);
317  1 issrg.ac.AttributeCertificate ac = issrg.ac.AttributeCertificate.guessEncoding(acObject);
318  1 LDAPDNPrincipal holder = new LDAPDNPrincipal(issrg.ac.Util.generalNamesToString(ac.getACInfo().getHolder().getEntityName()));
319  0 if (!holder.equals(new LDAPDNPrincipal(DIS))) continue;
320  1 String issuer = issrg.ac.Util.generalNamesToString(ac.getACInfo().getIssuer().getV1Form()==null?ac.getACInfo().getIssuer().getV2Form().getIssuerName():ac.getACInfo().getIssuer().getV1Form()).toLowerCase();
321   
322  1 LDAPDNPrincipal issuerPrincipal = new LDAPDNPrincipal(issuer);
323  1 boolean foundSOAAsIssuer = false;
324  1 for (int j = 0; j < soas.size(); j++) {
325  1 LDAPDNPrincipal soaPrincipal = (LDAPDNPrincipal) soas.get(j);
326  1 if (soaPrincipal.equals(issuerPrincipal)) {
327  1 foundSOAAsIssuer = true;
328  1 break;
329    }
330    }
331   
332  0 if (!foundSOAAsIssuer) continue;
333   
334  1 ParsedToken token = tokenParser.decode(acObject);
335  0 if (!(token instanceof DelegatableToken)) continue;
336  1 DelegatableToken tokenD = (DelegatableToken) token;
337  1 AssignmentRule assertRule = new AssignmentRule(tokenD.getSubjectDomain(), tokenD.getDepth(), tokenD.getDelegateableCredentials());
338  1 Vector holders = new Vector();
339  1 holders.add(tokenD.getHolder());
340  1 Vector rules = allocationPolicy.validate(token.getHolder(), token.getIssuerTokenLocator(), assertRule, repository, holders);
341  1 if (rules.size() == 0) {
342  0 continue;
343    }
344  1 GeneralName SOAGeneralName = new GeneralName(GeneralName.directoryName, new iaik.utils.RFC2253NameParser(issuer.toUpperCase()).parse());
345  1 GeneralNames SOAGeneralNames = new GeneralNames(SOAGeneralName);
346  1 disIssuerSerials.add(new IssuerSerial(SOAGeneralNames, ac.getACInfo().getSerialNumber(), null));
347   
348    }
349   
350  1 int numberOfIssuerSerials = disIssuerSerials.size();
351  1 if (numberOfIssuerSerials > 0) {
352  1 IssuerSerial[] a = new IssuerSerial[0];
353  1 a = (IssuerSerial[]) disIssuerSerials.toArray(a);
354  1 aai = new issrg.ac.attributes.AuthorityAttributeIdentifier((IssuerSerial[]) a);
355    }
356    } catch (Exception e) {
357  0 throw new Exception("Error when reading the DIS's ACs");
358    }
359    }
360   
 
361  1 toggle private void readConfigFile(String path) throws Exception {
362    //log.debug("Start reading the config file");
363  1 String separator = System.getProperties().getProperty("file.separator");
364  1 String configPath = path.concat(separator);
365  1 configPath = configPath.concat(config_file);
366    //log.debug("config file path: " + configPath);
367  1 BufferedReader in = null;
368  1 try {
369  1 try {
370  1 in = new BufferedReader(new InputStreamReader(new FileInputStream(configPath)));
371    } catch(IOException ioe) {
372    //log.fatal("Error when reading the config file");
373  0 throw ioe;
374    }
375  1 String line;
376  1 String left, right;
377  1 int i;
378  0 while ((line = in.readLine()) != null) {
379  13 line = line.intern();
380  13 if (line == "") continue;
381  10 line = line.trim();
382  10 i = line.indexOf(" ");
383  10 if (i < 0) {
384  0 if (verbose) System.err.println("Unrecognised line ignored: " + line);
385  0 continue;
386    }
387   
388  10 left = line.substring(0, i).toLowerCase().trim().intern();
389  10 right = line.substring(i + 1).trim().intern();
390   
391  10 if (left.charAt(0) == '#') {
392  0 continue;
393  10 } else if (left=="soa") {
394  1 SOA = right.toUpperCase();
395    //log.debug("got the SOA's DN");
396  9 } else if (left=="policyoid") {
397  1 OID = right;
398    //log.debug("got the policy OID");
399  8 } else if (left=="pkc") {
400  1 PKC= right;
401    //log.debug("got the PKC");
402  7 } else if (left=="ldap") {
403  0 LDAP = right;
404    //log.debug("got the ");
405  7 } else if (left=="downgradeable") {
406  1 downgradeable = right=="1";
407  6 } else if (left=="rootldap") {
408  1 rootDN = right;
409    //log.debug("got the ldap's writeable account");
410  5 } else if (left=="passwordldap") {
411  1 rootPass = right;
412    //log.debug("got the ldap's writeable account's password");
413  4 } else if (left=="signkeypath") {
414  1 SIGN_KEY_PATH = right;
415    //log.debug("got the signing key path");
416  3 } else if (left=="signkeypassword") {
417  1 SIGN_KEY_PASSWORD = right;
418    //log.debug("got the signing key password");
419  2 } else if (left=="ldapattributecertificateattribute") {
420  1 AC_attribute = right;
421    //log.debug("got the ACType: "+ AC_attribute);
422  1 } else if (left =="usercertificate") {
423  1 User_certificate = right;
424    //log.debug("got the PKC type: "+ User_certificate);
425  0 } else if (left=="attributelocation") {
426  0 DIS_AC_LOCATION = right;
427    //log.debug("got the location of the DIS's ACs: " + DIS_AC_LOCATION);
428  0 } else if (left == "trusted") {
429  0 trustedProxy.add(issrg.utils.RFC2253NameParser.toCanonicalDN(right));
430    //log.debug("got the DN of the trusted proxy: "+ issrg.utils.RFC2253NameParser.toCanonicalDN(right));
431    } else {
432  0 System.err.println("Unrecognised line ignored: " + line);
433    }
434    }
435    } catch (FileNotFoundException fnfe) {
436  0 throw new FileNotFoundException("Config file not found" + config_file);
437    } catch (IOException ioe) { // propagate the exceptions to the caller
438  0 throw new IOException("Error reading configuration file");
439    }
440   
441    }
442   
 
443  1 toggle private void readRoleTypes() {
444  1 roleTypes = new Hashtable(roleHierarchyPolicy.getTypeOid());
445   
446    // get all the OIDs in the policy, and register PermisRole attribute value
447  1 String [] oids = (String[])roleTypes.values().toArray(new String[0]);
448  2 for (int i=0; i<oids.length; i++){
449  1 issrg.ac.attributes.PermisRole.registerMe(oids[i]); // now whenever an Attribute Certificate with the attribute with this OID is encountered, the attribute PermisRole will be created.
450    }
451    }
452   
 
453  30 toggle public String signForMe(String issuerDN, String holderDN, String[] roleValues, String roleType, String from, String to, String assertion, String deep) {
454   
455  30 String roleTypeValues = roleType + ":";
456  73 for (int i = 0; i < roleValues.length; i++) roleTypeValues = roleTypeValues + roleValues[i] + " ";
457  30 roleTypeValues = roleTypeValues.substring(0, roleTypeValues.length() - 1);
458  30 SetOfSubsetsCredentials creds1 = createSet(roleTypeValues, from, to);
459  30 if (creds1.getValue().isEmpty()) return issrg.dis.Comm.ROLETYPE_OR_ROLE_VALUE_IS_NOT_SUPPORTED_IN_POLICY;
460  29 int depth1;
461  29 Integer depthInt = new Integer(deep);
462  26 if (depthInt.intValue() < 0) depth1 = -2; else if (depthInt.intValue() == 0) depth1 = -1; else depth1 = depthInt.intValue() -1;
463  29 DepthsCreds depthsCreds = new DepthsCreds();
464  29 depthsCreds.setDepth1(depth1);
465  29 depthsCreds.setCreds1(creds1);
466  29 String resultAfterCheckAndConstrain = checkAndConstrain(issuerDN, holderDN, assertion, depthsCreds);
467  29 if (!resultAfterCheckAndConstrain.equals(SATISFIED)) return resultAfterCheckAndConstrain;
468  20 try {
469    //System.out.println("In signForMe function, before going to generateAC: "+ depthsCreds.getCreds2());
470  20 byte[] ac = generateAC(issuerDN, holderDN, (SetOfSubsetsCredentials)depthsCreds.getCreds2(), assertion, depthsCreds.getDepth2());
471  20 if (ac.length == 0) {
472    //System.out.println("Created AC is in wrong format, length = 0");
473  0 return issrg.dis.Comm.ACCREATION_ERROR;
474    }
475  20 try {
476  20 storeToLDAP(ac);
477    } catch (Exception ee) {
478  0 return Comm.ERROR_WRITING_LDAP;
479    }
480  20 return prepareReturn(ac, assertion, depthsCreds.getDepth2());
481    } catch (Exception e) {
482  0 if (verbose) e.printStackTrace();
483  0 return issrg.dis.Comm.ACCREATION_ERROR;
484    }
485   
486    }
487   
 
488  20 toggle private String prepareReturn(byte[] ac, String assertion, int depth) {
489  20 try {
490    //log.debug("start preparing the return message");
491  20 String done = issrg.dis.Comm.PUBLISH;
492  20 issrg.ac.AttributeCertificate acc = issrg.ac.AttributeCertificate.guessEncoding(ac);
493  20 String holder = issrg.ac.Util.generalNamesToString(acc.getACInfo().getHolder().getEntityName());
494  20 done = done + SEPARATOR + holder + SEPARATOR;
495  20 Vector attributes = acc.getACInfo().getAttributes();
496  40 for (int i = 0; i < attributes.size(); i++) {
497  20 issrg.ac.Attribute att = (issrg.ac.Attribute) attributes.get(i);
498  20 String typeOID = att.getType();
499  20 String roleType = roleHierarchyPolicy.getTypeByOID(typeOID);//(String) roleTypes.get(typeOID);
500  20 done = done + roleType + ":";
501  20 Vector roles = att.getValues();
502  44 for (int j = 0; j < roles.size(); j++) {
503  24 PermisRole r = (PermisRole) roles.get(j);
504  24 done = done + r.getRoleValue() + ",";
505    }
506  20 done = done.substring(0, done.length() -1);
507  20 done = done + "+";
508    }
509  20 done = done.substring(0, done.length() - 1);
510  20 done = done + SEPARATOR;
511   
512  20 done = done + acc.getACInfo().getValidityPeriod().getNotBefore().getTime().getTime().toString() + SEPARATOR;
513  20 done = done + acc.getACInfo().getValidityPeriod().getNotAfter().getTime().getTime().toString() + SEPARATOR;
514   
515  20 done = done + (assertion.equals("can")? issrg.dis.Comm.CAN_ASSERT: issrg.dis.Comm.CAN_NOT_ASSERT) + SEPARATOR;
516  20 depth++;
517  20 done = done + new Integer(depth).toString();
518    //log.debug(done);
519  20 return done;
520    }catch (iaik.asn1.CodingException ce) {
521  0 return Comm.CAN_NOT_DECODE_AC_TO_BE_SIGN;
522    }
523    }
524   
 
525  50 toggle private boolean checkAndConstrain(ParsedToken token, DepthsCreds depthsCreds) {
526  50 try {
527  50 Vector holders = new Vector();
528  50 holders.add(token.getHolder());
529  50 if (!(token instanceof DelegatableToken)) {
530  7 Credentials credsCon = allocationPolicy.validate(token.getHolder(), token.getIssuerTokenLocator(), token.getCredentials(), repository, holders);
531    //System.out.println("In checkAndConstrain core function, getCreds1 and credsCon are :" + depthsCreds.getCreds1() + " " + credsCon);
532  0 if (credsCon.equals(emptyCreds)) return false;
533  7 if (credsCon.contains(depthsCreds.getCreds1())) {
534  3 depthsCreds.setCreds2((Credentials)depthsCreds.getCreds1().clone());
535  3 depthsCreds.setDepth2(-2);
536  3 return true;
537    }
538  0 if (!downgradeable) return false;
539  4 depthsCreds.setCreds2(credsCon);
540  4 depthsCreds.setDepth2(-2);
541  4 return true;
542    } else {
543  43 DelegatableToken tokenD = (DelegatableToken) token;
544  43 AssignmentRule asRAR = new AssignmentRule(tokenD.getSubjectDomain(), tokenD.getDepth(), tokenD.getDelegateableCredentials());
545  43 Vector vRars = allocationPolicy.validate(tokenD.getHolder(), tokenD.getIssuerTokenLocator(), asRAR, repository, holders);
546  43 if (vRars.isEmpty()) {
547  0 if (!downgradeable) return false;
548    else {
549  10 Credentials vCreds = allocationPolicy.validate(token.getHolder(), token.getIssuerTokenLocator(), token.getCredentials(), repository, holders);
550  10 if (vCreds.equals(emptyCreds)) return false;
551  1 depthsCreds.setCreds2(vCreds);
552  1 depthsCreds.setDepth2(-2);
553  1 return true;
554    }
555    }
556   
557  33 Vector tokens = new Vector();
558  68 for (int i = 0; i < vRars.size(); i++) {
559  35 AssignmentRule vRar = (AssignmentRule)vRars.get(i);
560  35 DelegatableToken t = new DefaultDelegatableToken(token.getHolder(),token.getIssuerTokenLocator(), emptyCreds, vRar.getCredentials(), vRar.getSubjectDomain(), vRar.getDelegationDepth());
561  35 tokens.add(t);
562    }
563  33 ParsedToken[] tokensSorted = comparator.predict(asRAR, tokens, token.getHolder());
564  33 DelegatableToken bestOne = (DelegatableToken) tokensSorted[0];
565  33 Credentials vCreds = bestOne.getDelegateableCredentials();
566  0 if (vCreds.equals(emptyCreds)) return false;
567  33 int vdepth = bestOne.getDepth();
568  33 if ((vCreds.contains(depthsCreds.getCreds1())) && (vdepth == depthsCreds.getDepth1())) {
569  7 depthsCreds.setCreds2((Credentials)depthsCreds.getCreds1().clone());
570  7 depthsCreds.setDepth2(vdepth);
571  7 return true;
572    } else {
573  0 if (!downgradeable) return false;
574  26 depthsCreds.setCreds2(vCreds);
575  26 depthsCreds.setDepth2(vdepth);
576  26 return true;
577    }
578    }
579    } catch (Exception e) {
580  0 return false;
581    }
582    }
583   
 
584  29 toggle private String checkAndConstrain(String issuerDN, String holderDN, String assertion, DepthsCreds depthsCreds) {
585  29 issrg.pba.ParsedToken token1 = createParsedToken(issuerDN, holderDN, depthsCreds.getCreds1(), assertion, depthsCreds.getDepth1());
586  29 if (checkAndConstrain(token1, depthsCreds)) {
587    //System.out.println("Before checking with the DIS (in checkAndConstrain function) : " + depthsCreds.getCreds2());
588  21 issrg.pba.ParsedToken token2 = createParsedToken(DIS, holderDN, depthsCreds.getCreds2(), assertion, depthsCreds.getDepth2());
589  21 if (checkAndConstrain(token2, depthsCreds)) {
590    //System.out.println("After checking with the DIS (in checkAndConstrain function) : " + depthsCreds.getCreds2());
591  20 return SATISFIED;
592  1 } else return Comm.DIS_DO_NOT_HAVE_ENOUGH_PRIVILEGE;
593  8 } else return Comm.ISSUER_DONOT_HAVE_ENOUGH_PRIVILEGES_OR_CAN_NOT_DOWNGRADE_PRIVILEGE_OR_WRONG_REQUEST;
594    }
595   
 
596  20 toggle private String getSerialNumber() {
597  20 String s = new Integer(virtualSerialNumber).toString();
598  20 virtualSerialNumber++;
599  20 return s;
600   
601    }
 
602  20 toggle private byte[] generateAC(String issuerDN, String holderDN,
603    SetOfSubsetsCredentials creds2, String assertion, int depth2) throws Exception {
604    //log.debug("Generating AC:...");
605  20 try {
606  20 BigInteger ACSerialNumber;
607  20 ACSerialNumber = new BigInteger(this.getSerialNumber(),16);
608  20 ACSerialNumber = ACSerialNumber.abs();
609    //System.out.println(creds2.toString());
610  20 ValidityPeriod vp = ((ExpirableCredentials)creds2.getValue().get(0)).getValidityPeriod();
611  20 GregorianCalendar nb = new GregorianCalendar();
612  20 nb.setTime(vp.getNotBefore());
613  20 GregorianCalendar na = new GregorianCalendar();
614  20 na.setTime(vp.getNotAfter());
615  20 issrg.ac.Generalized_Time notBf = new issrg.ac.Generalized_Time(nb);
616  20 issrg.ac.Generalized_Time notAf = new issrg.ac.Generalized_Time(na);
617  20 issrg.ac.AttCertValidityPeriod validity_period = new issrg.ac.AttCertValidityPeriod(notBf, notAf);
618   
619  20 Vector r = creds2.getValue();
620  20 Hashtable roleTypesValues = new Hashtable();
621  44 for (int i = 0; i < r.size(); i++) {
622  24 ExpirableCredentials exp = (ExpirableCredentials) r.get(i);
623  24 PermisCredentials permisCredentials = (PermisCredentials) exp.getExpirable();
624  24 String type = permisCredentials.getRoleType();
625  24 String roleTypeID = (String) roleTypes.get(type);
626  24 Vector a = (Vector) roleTypesValues.get(roleTypeID);
627  24 if (a == null) roleTypesValues.put(roleTypeID, a = new Vector());
628  24 a.add(new issrg.ac.attributes.PermisRole(permisCredentials.getRoleValueAsString()));
629    }
630  20 Vector attributes = new Vector();
631  20 Enumeration e = roleTypesValues.keys();
632  40 while (e.hasMoreElements()) {
633  20 String ID = (String) e.nextElement();
634  20 Vector roles = (Vector) roleTypesValues.get(ID);
635  20 attributes.add(new issrg.ac.Attribute(ID, roles));
636    }
637   
638  20 if (attributes.size() == 0) {
639  0 return new byte[0];
640    }
641   
642  20 Vector extensionCollection = new Vector();
643  20 if (!assertion.equals("can")) extensionCollection.add(new issrg.ac.attributes.NoAssertion());
644  20 if (depth2 > -2) {
645  16 extensionCollection.add(new issrg.ac.attributes.BasicAttConstraint(false, depth2));
646    }
647   
648   
649  20 String DN = issrg.utils.RFC2253NameParser.toCanonicalDN(issrg.utils.RFC2253NameParser.distinguishedName(issuerDN));
650  20 GeneralName issuerGeneralName = new GeneralName(GeneralName.directoryName, new iaik.utils.RFC2253NameParser(DN).parse());
651  20 extensionCollection.add(new issrg.ac.attributes.IssuedOnBehalfOf(false, issuerGeneralName));
652  20 if (aai != null) extensionCollection.add(aai);
653  0 if (aaia != null) extensionCollection.add(aaia);
654  20 issrg.ac.Extensions extensions = new issrg.ac.Extensions(extensionCollection);
655   
656  20 iaik.asn1.structures.GeneralNames hn = issrg.ac.Util.buildGeneralNames(holderDN);
657  20 issrg.ac.Holder holder = new issrg.ac.Holder(null, hn, null);
658  20 issrg.ac.AttCertIssuer issuer;
659  20 issrg.ac.V2Form signer = new issrg.ac.V2Form(DISGeneralNames, rootCASerial, null);
660  20 signer.setObjectDigestInfo(null);
661  20 issuer = new issrg.ac.AttCertIssuer(null, signer);
662   
663    //log.debug("Generating attribute certificate info");
664  20 issrg.ac.AttributeCertificateInfo aci = new issrg.ac.AttributeCertificateInfo(
665    new issrg.ac.AttCertVersion(issrg.ac.AttCertVersion.V2),
666    holder,
667    issuer,
668    signatureAlg,
669    ACSerialNumber,
670    validity_period,
671    attributes,
672    null,
673    extensions
674    );
675    //log.debug("Generating AC right now");
676  20 byte[] b = aci.getEncoded();
677  20 byte[] ac = new issrg.ac.AttributeCertificate(
678    aci,
679    signatureAlg,
680    new BIT_STRING(signingUtility.sign(b))
681    ).getEncoded();
682  20 return ac;
683    } catch (Exception e) {
684    //log.fatal(e.toString());
685  0 throw new Exception("Error when generating requested AC");
686    }
687    }
688   
 
689  20 toggle private void storeToLDAP(byte[] ac) throws Exception {
690  20 try {
691  20 synchronized(ldapUtility) {
692    //log.debug(issrg.ac.AttributeCertificate.guessEncoding(ac).toString());
693  20 ldapUtility.save(ac);
694    }
695    } catch (Exception e) {
696    //log.debug(e.toString());
697  0 throw new Exception("Error when writing to LDAP");
698    }
699    }
700   
 
701  0 toggle private issrg.pba.ParsedToken createParsedToken(AttributeCertificate ac, String issuerDN){
702  0 try {
703  0 ParsedToken token = tokenParser.decode(ac.getEncoded());
704  0 LDAPDNPrincipal issuerPrincipal = new LDAPDNPrincipal(token.getIssuerTokenLocator().getEntry().getEntryName().getName());
705  0 LDAPDNPrincipal issuerDNPricipal = new LDAPDNPrincipal(issuerDN);
706  0 if (issuerPrincipal.equals(issuerDNPricipal)) {
707  0 return token;
708    } else {
709  0 ParsedToken tok;
710    //new EntryLocator(new UserEntry(issuerDNPricipal), new DNWithURLPrincipal(issuerDN, LDAP), null));
711  0 EntryLocator entry = new EntryLocator(new UserEntry(issuerDNPricipal), issuerDNPricipal, r, null);
712  0 if (token instanceof DefaultDelegatableToken) {
713  0 DefaultDelegatableToken del = (DefaultDelegatableToken) token;
714  0 tok = new DefaultDelegatableToken(del.getHolder(), entry, del.getCredentials(), del.getDelegateableCredentials(), del.getSubjectDomain(), del.getDepth());
715    } else {
716  0 tok = new DefaultParsedToken(token.getHolder(), entry, token.getCredentials());
717    }
718  0 return tok;
719    }
720    } catch (Exception e) {
721  0 if (verbose) e.printStackTrace();
722  0 return null;
723    }
724    }
725   
726   
 
727  50 toggle private issrg.pba.ParsedToken createParsedToken(String issuerDN, String holderDN, Credentials creds, String assertion, int deep) {
728  50 try {
729  50 issrg.utils.repository.TokenLocator issuerLocator;
730  50 LDAPDNPrincipal issuerPrincipal = new LDAPDNPrincipal(issrg.utils.RFC2253NameParser.toCanonicalDN(issuerDN));
731  50 issuerLocator = new EntryLocator(new UserEntry(issuerPrincipal), issuerPrincipal, r, null);
732  50 Credentials assertableCredentials = creds;
733  50 Credentials delegateableCredentials = creds;
734  50 if (!assertion.equals("can")) assertableCredentials = new SetOfSubsetsCredentials();
735   
736  50 if (deep < -1) return new issrg.pba.DefaultParsedToken(new UserEntry(new LDAPDNPrincipal(holderDN)), issuerLocator, assertableCredentials);
737  43 return new issrg.pba.DefaultDelegatableToken(new UserEntry(new LDAPDNPrincipal(holderDN)), issuerLocator, assertableCredentials, delegateableCredentials, new issrg.pba.rbac.policies.DITSubtree(LDAPDNPrincipal.WHOLE_WORLD_DN, 0, -1, null, null), deep);
738  0 }catch (Exception pe) { return null;}
739    }
740   
741   
742   
 
743  30 toggle private SetOfSubsetsCredentials createSet(String roleTypesValues, String from, String to) {
744    //log.debug("RoleTypesValues, from and to parameters are : " + roleTypesValues + " " + from + " " + to);
745  30 Date nb, na;
746  30 java.text.DateFormat dateformat = new java.text.SimpleDateFormat("EEE MMM dd HH:mm:ss Z yyyy");
747  30 try {
748  30 nb = dateformat.parse(from);
749  0 na = dateformat.parse(to);
750    } catch (java.text.ParseException pe) {
751  30 try {
752  30 nb = issrg.ac.Util.buildGeneralizedTime(from).getTime().getTime();
753  30 na = issrg.ac.Util.buildGeneralizedTime(to).getTime().getTime();
754    } catch (Exception e) {
755  0 return null;
756    }
757    }
758  30 ValidityPeriod vp = new AbsoluteValidityPeriod(nb, na);
759   
760  30 Vector rTypesValues = new Vector();
761  30 Enumeration tok1 = new java.util.StringTokenizer(roleTypesValues,SEPARATOR_APACHE); // NOTE: SEPARATOR_APACHE = ","
762  30 Vector vector1 = new Vector();
763  60 while (tok1.hasMoreElements()) vector1.add(tok1.nextElement());
764  60 for (int i = 0; i < vector1.size(); i++) {
765  30 String typeValues = (String) vector1.get(i);
766  30 int j = typeValues.indexOf(":");
767  30 if (j > 0) {
768  30 String type = typeValues.substring(0, j);
769  30 Enumeration enumeration = ((Hashtable)roleTypes).keys();
770  30 boolean found = false;
771  31 while (enumeration.hasMoreElements()) {
772  30 String o = (String) enumeration.nextElement();
773  30 if (type.equals(o)) {
774  29 found = true;
775  29 break;
776    }
777    }
778  30 if (!found) continue;
779  29 String values = typeValues.substring(j + 1, typeValues.length()).trim();
780  29 Enumeration tok2 = new java.util.StringTokenizer(values, SPACE);
781  71 while (tok2.hasMoreElements()) {
782  42 issrg.pba.rbac.RoleHierarchyNode rhn = roleHierarchyPolicy.getRole(type, (String)tok2.nextElement());
783  0 if (rhn == null) continue; //ignore???
784  42 rTypesValues.add(new ExpirableCredentials(new PermisCredentials(rhn),vp));
785    }
786    }
787    }
788  30 SetOfSubsetsCredentials credentials = new SetOfSubsetsCredentials(rTypesValues);
789    //log.debug("Created credentials is: " + credentials.toString());
790  30 return credentials;
791   
792    }
793   
794    // private boolean canBeIssued(Hashtable acParams) {
795    // try {
796    // String clientDN = issrg.utils.RFC2253NameParser.toCanonicalDN((String)acParams.get(CLIENTDN)).toUpperCase();
797    // String issuerDN = issrg.utils.RFC2253NameParser.toCanonicalDN((String)acParams.get(ISSUERDN)).toUpperCase();
798    // String holderDN = issrg.utils.RFC2253NameParser.toCanonicalDN((String)acParams.get(HOLDERDN)).toUpperCase();
799    // String issuedOnBehalfOf = issrg.utils.RFC2253NameParser.toCanonicalDN((String)acParams.get(IOBO));
800    // if (issuedOnBehalfOf == null) issuedOnBehalfOf = ""; else issuedOnBehalfOf = issuedOnBehalfOf.toUpperCase();
801    // if (clientDN.equals(issuerDN) || clientDN.equals(holderDN) || clientDN.equals(issuedOnBehalfOf) || clientDN.equals(SOA)) return true;
802    //
803    // String roleTypesValues = (String) acParams.get(ROLETYPESVALUES);
804    // String depthS = (String) acParams.get(DELEGATION_DEPTH);
805    // int depth = new Integer(depthS).intValue() - 1;
806    // String notBefore = (String) acParams.get(NOT_BEFORE);
807    // String notAfter = (String) acParams.get(NOT_AFTER);
808    // SetOfSubsetsCredentials set = createSet(roleTypesValues, notBefore, notAfter);
809    // //whether holder can assert credentials is not important here
810    // ParsedToken token1 = createParsedToken(issuerDN, holderDN, set, "can", depth, null);
811    // ParsedToken token2 = createParsedToken(clientDN, holderDN, set, "can", depth, null);
812    // return checkCanBeIssued(token1, token2);
813    //
814    // } catch (Exception e) {
815    // //log.fatal(e.toString());
816    // return false;
817    // }
818    // }
819   
820   
 
821  0 toggle private boolean checkCanBeIssued(ParsedToken token1, ParsedToken token2) {
822  0 try{
823   
824    // issrg.pba.repository.AuthTokenRepository authRepository = createAuthRepository(token2);
825  0 Vector holders2 = new Vector();
826  0 holders2.add(token2.getHolder());
827  0 Credentials vCreds2 = allocationPolicy.validate(token2.getHolder(), token2.getIssuerTokenLocator(), token2.getCredentials(), repository, holders2);
828   
829  0 Vector vRules2 = new Vector();
830  0 if (token2 instanceof DelegatableToken) {
831  0 DelegatableToken tokenD = (DelegatableToken) token2;
832  0 AssignmentRule assRule = new AssignmentRule(tokenD.getSubjectDomain(), tokenD.getDepth(), tokenD.getDelegateableCredentials());
833  0 vRules2 = allocationPolicy.validate(tokenD.getHolder(), tokenD.getIssuerTokenLocator(), assRule, repository, holders2);
834    }
835   
836  0 Credentials vCreds1;
837  0 Vector vRules1 = new Vector();
838  0 if (token1 instanceof DelegatableToken) {
839  0 DelegatableToken tokenD = (DelegatableToken) token1;
840  0 vCreds1 = tokenD.getDelegateableCredentials();
841  0 vRules1.add(new AssignmentRule(tokenD.getSubjectDomain(), tokenD.getDepth(), tokenD.getDelegateableCredentials()));
842    } else {
843  0 vCreds1 = token1.getCredentials();
844    }
845  0 if ((vCreds2.contains(vCreds1)) && contains(vRules2, vRules1)) {
846  0 return true;
847    } else {
848  0 return false;
849    }
850    } catch (Exception e) {
851    //Some errors happen, revocation fails
852  0 return false;
853    }
854    }
855   
 
856  0 toggle private boolean contains(Vector vRules2, Vector vRules1) {
857  0 for (java.util.Iterator ite = vRules1.iterator(); ite.hasNext();) {
858  0 AssignmentRule vRule1 = (AssignmentRule) ite.next();
859  0 for (int i = 0; i < vRules2.size(); i++) {
860  0 AssignmentRule vRule2 = (AssignmentRule) vRules2.get(i);
861  0 if ((vRule2.getCredentials().contains(vRule1.getCredentials())) && (vRule2.getDelegationDepth() >= vRule1.getDelegationDepth())) {
862  0 ite.remove();
863  0 break;
864    }
865    }
866    }
867  0 if (vRules1.isEmpty()) return true; else return false;
868    }
869   
 
870  0 togglepublic String[] searchForMe(String holderDN) {
871  0 try {
872  0 javax.naming.directory.Attribute attrs = ldapUtility.loadACs(holderDN);
873  0 if (attrs == null) return null;
874  0 int num = attrs.size();
875  0 if (num == 0) return null;
876  0 String[] ret = new String[num];
877  0 for (int i = 0; i < num; i++) {
878  0 byte[] acObject = (byte[]) attrs.get(i);
879  0 issrg.ac.AttributeCertificate ac = issrg.ac.AttributeCertificate.guessEncoding(acObject);
880  0 ret[i] = createACMessage(ac);
881    }
882  0 return ret;
883    } catch (Exception e) {
884  0 if(verbose) e.printStackTrace();
885  0 return null;
886    }
887    }
888   
889   
 
890  0 toggle private String createACMessage(issrg.ac.AttributeCertificate ac) {
891   
892    //log.debug("Start creating message...");
893  0 StringBuffer ret = new StringBuffer();
894  0 String issuerDN = issrg.ac.Util.generalNamesToString(ac.getACInfo().getIssuer().getV1Form()==null?ac.getACInfo().getIssuer().getV2Form().getIssuerName():ac.getACInfo().getIssuer().getV1Form()).toUpperCase();
895  0 ret.append(issuerDN).append(SEPARATOR);
896  0 ret.append(issrg.ac.Util.generalNamesToString(ac.getACInfo().getHolder().getEntityName()).toUpperCase()).append(SEPARATOR);
897  0 ret.append(ac.getACInfo().getSerialNumber().toString()).append(SEPARATOR);
898  0 boolean policy_found = false;
899  0 String roleTypesValues = "";
900  0 Vector attrs = ac.getACInfo().getAttributes();
901  0 for (int i = 0; i < attrs.size(); i++) {
902  0 issrg.ac.Attribute attr = (issrg.ac.Attribute) attrs.get(i);
903  0 String oid = attr.getType();
904  0 String type = "";
905  0 if (oid.equals(issrg.ac.attributes.PMIXMLPolicy.PMI_XML_POLICY_ATTRIBUTE_OID)) {
906  0 roleTypesValues = roleTypesValues + Comm.PMI_XML_POLICY + SEPARATOR_APACHE;
907  0 policy_found = true;
908  0 break;
909    }
910   
911  0 Enumeration enumeration = ((Hashtable)roleTypes).keys();
912  0 while (enumeration.hasMoreElements()) {
913  0 Object o = enumeration.nextElement();
914  0 String OID = (String) roleTypes.get(o);
915  0 if (OID.equals(oid)) {
916  0 type = (String) o;
917  0 break;
918    }
919    }
920  0 roleTypesValues = roleTypesValues + type + ":";
921  0 Vector values = attr.getValues();
922  0 for (int j = 0; j < values.size() -1 ; j++) {
923  0 PermisRole value = (PermisRole) values.get(j);
924  0 roleTypesValues = roleTypesValues + value.getRoleValue() + SPACE;
925    }
926  0 PermisRole value = (PermisRole) values.get(values.size() -1);
927  0 roleTypesValues = roleTypesValues + value.getRoleValue();
928  0 roleTypesValues = roleTypesValues + SEPARATOR_APACHE;
929    }
930  0 roleTypesValues = roleTypesValues.substring(0, roleTypesValues.length() -1);
931   
932  0 ret.append(roleTypesValues).append(SEPARATOR);
933   
934  0 ret.append(ac.getACInfo().getValidityPeriod().getNotBefore().getTime().getTime().toString()).append(SEPARATOR);
935  0 ret.append(ac.getACInfo().getValidityPeriod().getNotAfter().getTime().getTime().toString()).append(SEPARATOR);
936   
937  0 if (!policy_found) {
938  0 Extensions exts = ac.getACInfo().getExtensions();
939  0 int depth = -1;
940  0 String assertion = Comm.CAN_ASSERT;
941  0 String iobo = Comm.ISSUED_ON_BEHALF_OF_NOT_PRESENT.intern();
942  0 if (exts != null) {
943  0 Vector extensions = exts.getValues();
944  0 for (int i = 0; i < extensions.size(); i++) {
945  0 Extension e = (Extension) extensions.get(i);
946  0 if (e instanceof BasicAttConstraint) { depth = ((BasicAttConstraint)e).getDepth() + 1; continue;}
947  0 if (e instanceof NoAssertion) {assertion = Comm.CAN_NOT_ASSERT; continue;}
948  0 if (e instanceof IssuedOnBehalfOf) { iobo = ((IssuedOnBehalfOf)e).getIssuerDN().intern(); continue;}
949    }
950    }
951   
952  0 ret.append(new Integer(depth).toString()).append(SEPARATOR);
953  0 ret.append(assertion).append(SEPARATOR);
954  0 ret.append(iobo).append(DOUBLE_SEPARATOR);
955    //log.debug("Before validating we have a message: "+ ret.toString());
956  0 boolean valid1, valid2;
957  0 valid2 = true;
958  0 valid1 = issueable(ac, issuerDN);
959  0 if (iobo != Comm.ISSUED_ON_BEHALF_OF_NOT_PRESENT) valid2 = issueable(ac, iobo);
960  0 if (valid1 && valid2) ret.append("1"); else ret.append("0");
961    //log.debug("After validating, we have: "+ ret.toString());
962  0 return ret.toString();
963    } else {
964  0 return ret.substring(0, ret.length() - 1);
965    }
966    }
967   
968   
 
969  0 toggle private boolean issueable(AttributeCertificate ac, String issuerDN) {
970  0 try{
971  0 ParsedToken tok = tokenParser.decode(ac.getEncoded());
972  0 ParsedToken token;
973  0 EntryLocator entry = new EntryLocator(new UserEntry(new LDAPDNPrincipal(issuerDN)), new LDAPDNPrincipal(issuerDN), r, null);
974  0 if (tok instanceof DelegatableToken) {
975  0 DelegatableToken tokD = (DelegatableToken) tok;
976  0 token = new DefaultDelegatableToken(tokD.getHolder(), entry, tokD.getCredentials(), tokD.getDelegateableCredentials(), tokD.getSubjectDomain(), tokD.getDepth());
977    } else {
978  0 token = new DefaultParsedToken(tok.getHolder(), entry, tok.getCredentials());
979    }
980    //ldapUtility.populate(token.getHolder().getEntryName().getName(), AC_attribute, token);
981   
982    // issrg.pba.repository.AuthTokenRepository rep = createAuthRepository(token);
983   
984   
985  0 Vector holders = new Vector();
986  0 holders.add(token.getHolder());
987  0 if (token instanceof DelegatableToken) {
988  0 DelegatableToken tokenD = (DelegatableToken) token;
989  0 AssignmentRule assRule = new AssignmentRule(tokenD.getSubjectDomain(), tokenD.getDepth(), tokenD.getDelegateableCredentials());
990  0 Vector vRules = new Vector();
991  0 vRules = allocationPolicy.validate(tokenD.getHolder(), tokenD.getIssuerTokenLocator(), assRule, repository, holders);
992  0 if (vRules.isEmpty()) return false;
993  0 Vector tokens = new Vector();
994  0 for (int i = 0; i < vRules.size(); i++) {
995  0 AssignmentRule vRule = (AssignmentRule)vRules.get(i);
996  0 DelegatableToken t = new DefaultDelegatableToken(token.getHolder(),token.getIssuerTokenLocator(), emptyCreds, vRule.getCredentials(), new DITSubtree((LDAPDNPrincipal)token.getHolder().getEntryName(), 0, -1, null, null), vRule.getDelegationDepth());
997  0 tokens.add(t);
998    }
999  0 ParsedToken[] tokensSorted = comparator.predict(assRule, tokens, token.getHolder());
1000  0 DelegatableToken bestOne = (DelegatableToken) tokensSorted[0];
1001  0 if (bestOne.getDelegateableCredentials().contains(tokenD.getDelegateableCredentials()) && (bestOne.getDepth()==tokenD.getDepth())) return true; else return false;
1002    } else {
1003  0 Credentials vCreds = allocationPolicy.validate(token.getHolder(), token.getIssuerTokenLocator(), token.getCredentials(), repository, holders);
1004  0 if (vCreds.contains(token.getCredentials())) return true; else return false;
1005    }
1006    } catch (Exception e) {
1007  0 return false;
1008    }
1009    }
1010   
1011    // private issrg.pba.repository.AuthTokenRepository createAuthRepository(ParsedToken o) throws Exception {
1012    // issrg.utils.repository.VirtualRepository vRepository;
1013    // issrg.simplePERMIS.SimplePERMISAuthTokenRepository repository = new issrg.simplePERMIS.SimplePERMISAuthzTokenRepository(vRepository = new issrg.utils.repository.VirtualRepository(), tokenParser);
1014    // vRepository.populate(o.getHolder().getEntryName().getName(), CustomisePERMIS.getAttributeCertificateAttribute(), o);
1015    // return repository;
1016    // }
1017   
1018   
 
1019  0 toggle public String[] revokeForMe(String requestorDN, String holderDN, String[] issuerDN, String[] serials) {
1020  0 String[] ret = new String[issuerDN.length];
1021  0 int count = 0; //this variable is used to remember the number of AC. If you want to revoke a broken AC, you would need it.
1022  0 for (int i = 0; i < issuerDN.length; i++) {
1023  0 try {
1024  0 Vector indexes = new Vector();
1025  0 if (issuerDN[i].equals(Comm.BROKEN_AC)) {
1026  0 String idx = serials[i];
1027  0 Integer itg = new Integer(new Integer(idx).intValue() - count);
1028  0 count++;
1029  0 indexes.add(itg);
1030  0 revoke(holderDN, indexes);
1031  0 ret[i] = Comm.REVOKE_SUCCESS;
1032  0 continue;
1033    }
1034   
1035  0 LDAPDNPrincipal iss = new LDAPDNPrincipal(issuerDN[i]);
1036  0 LDAPDNPrincipal hol = new LDAPDNPrincipal(holderDN);
1037   
1038  0 boolean foundSOAAsIssuer = false;
1039  0 for (int j = 0; j < soas.size(); j++)
1040  0 if (((LDAPDNPrincipal) soas.get(j)).equals(iss)) {
1041  0 foundSOAAsIssuer = true;
1042  0 break;
1043    }
1044   
1045  0 LDAPDNPrincipal dis = new LDAPDNPrincipal(DIS);
1046  0 if (hol.equals(dis) && foundSOAAsIssuer) {
1047  0 ret[i] = Comm.USE_ACM_TOOL_TO_REVOKE;
1048  0 continue;
1049    }
1050   
1051  0 synchronized (ldapUtility) {
1052  0 AttributeCertificate ac = checkRevoke(holderDN, issuerDN[i], new BigInteger(serials[i]), indexes);
1053  0 if (canBeIssued(ac, requestorDN) && revoke(holderDN, indexes)) {
1054  0 ret[i] = Comm.REVOKE_SUCCESS;
1055  0 count++;
1056    } else {
1057  0 ret[i] = Comm.REVOCATION_REJECT;
1058    }
1059    }
1060    } catch (Exception e) {
1061  0 ret[i] = Comm.REVOCATION_REJECT;
1062    }
1063    }
1064  0 return ret;
1065    }
1066   
 
1067  0 toggle private boolean canBeIssued(AttributeCertificate ac, String clientDN) {
1068  0 if (ac == null) return false;
1069  0 try {
1070  0 String issuerDN = issrg.ac.Util.generalNamesToString(ac.getACInfo().getIssuer().getV1Form()==null?ac.getACInfo().getIssuer().getV2Form().getIssuerName():ac.getACInfo().getIssuer().getV1Form()).toUpperCase();
1071  0 String holderDN = issrg.ac.Util.generalNamesToString(ac.getACInfo().getHolder().getEntityName()).toUpperCase();
1072  0 String issuedOnBehalfOf = "";
1073  0 Extensions exts = ac.getACInfo().getExtensions();
1074  0 if (exts != null) {
1075  0 Vector extensions = exts.getValues();
1076  0 for (int i = 0; i < extensions.size(); i++) {
1077  0 issrg.ac.Extension e = (issrg.ac.Extension) extensions.get(i);
1078  0 if (e instanceof issrg.ac.attributes.IssuedOnBehalfOf) {
1079  0 issuedOnBehalfOf = ((issrg.ac.attributes.IssuedOnBehalfOf) e).getIssuerDN().toUpperCase();
1080  0 break;
1081    }
1082    }
1083    }
1084  0 LDAPDNPrincipal clientPrincipal = new LDAPDNPrincipal(clientDN);
1085  0 LDAPDNPrincipal holderPrincipal = new LDAPDNPrincipal(holderDN);
1086  0 LDAPDNPrincipal issuerPrincipal = new LDAPDNPrincipal(issuerDN);
1087  0 LDAPDNPrincipal ioboPrincipal = new LDAPDNPrincipal(issuedOnBehalfOf);
1088  0 if (clientPrincipal.equals(issuerPrincipal) || clientPrincipal.equals(holderPrincipal) || clientPrincipal.equals(ioboPrincipal)) return true;
1089  0 ParsedToken token1 = tokenParser.decode(ac.getEncoded());
1090  0 ParsedToken token2 = createParsedToken(ac, clientDN);
1091  0 boolean ret = checkCanBeIssued(token1, token2);
1092  0 String s;
1093  0 if (ret) s = "Client can issue the AC"; else s = "Client can not issue the AC";
1094  0 return ret;
1095    }catch (Exception e) {
1096  0 return false;
1097    }
1098   
1099    }
1100   
1101   
 
1102  0 toggle private AttributeCertificate checkRevoke(String holderDN, String issuerDN, BigInteger serial, Vector indexes) {
1103  0 return checkRepository(holderDN, issuerDN, serial, indexes);
1104    }
1105   
 
1106  0 toggle private AttributeCertificate checkRepository(String holderDN, String issuerDN, BigInteger serialRequested, Vector indexes) {
1107  0 try {
1108  0 javax.naming.directory.Attribute attrs = ldapUtility.loadACs(holderDN);
1109  0 int num = attrs.size();
1110  0 if (num == 0) return null;
1111  0 for (int i = 0; i < num; i++) {
1112  0 try {
1113  0 byte[] acObject = (byte[]) attrs.get(i);
1114  0 issrg.ac.AttributeCertificate ac = issrg.ac.AttributeCertificate.guessEncoding(acObject);
1115  0 AttributeCertificateInfo info = ac.getACInfo();
1116  0 String issuer = issrg.ac.Util.generalNamesToString(info.getIssuer().getV1Form()==null?ac.getACInfo().getIssuer().getV2Form().getIssuerName():ac.getACInfo().getIssuer().getV1Form()).toUpperCase();
1117  0 BigInteger serial = info.getSerialNumber();
1118  0 if ((issuer.toUpperCase().equals(issuerDN.toUpperCase())) && (serial.compareTo(serialRequested) == 0)) {
1119  0 indexes.add(new Integer(i));
1120  0 return ac;
1121    } else {
1122  0 continue;
1123    }
1124    } catch (Exception e) {
1125  0 continue;
1126    }
1127    }
1128  0 return null;
1129    } catch (Exception e) {
1130  0 return null;
1131    }
1132   
1133    }
1134   
 
1135  0 toggle private boolean revoke(String holderDN, Vector indexes) {
1136  0 try{
1137  0 if (indexes.size() > 0) {
1138  0 for (int i = 0; i < indexes.size(); i++) {
1139  0 Integer index = (Integer) indexes.get(i);
1140    //log.debug("going to delete AC from repository");
1141  0 ldapUtility.deleteAC(holderDN, index.intValue());
1142    //log.debug("The AC is revoked");
1143    }
1144  0 return true;
1145  0 } else return true; //nothing needs to revoke
1146    } catch (Exception e) {
1147    //log.fatal(e.toString());
1148  0 return false;
1149    }
1150    }
1151   
 
1152    public class DepthsCreds {
1153   
1154    /** Creates a new instance of Parameters */
 
1155  29 toggle public DepthsCreds() {
1156    }
1157   
1158    private int depth1;
1159    private int depth2;
1160    private issrg.pba.Credentials creds1;
1161    private issrg.pba.Credentials creds2;
1162   
 
1163  29 toggle public void setDepth1(int i) {
1164  29 depth1 = i;
1165    }
1166   
 
1167  41 toggle public void setDepth2 (int i) {
1168  41 depth2 = i;
1169    }
 
1170  29 toggle public void setCreds1 (issrg.pba.Credentials creds) {
1171  29 creds1 = creds;
1172    }
 
1173  41 toggle public void setCreds2 (issrg.pba.Credentials creds) {
1174  41 creds2 = creds;
1175    }
1176   
 
1177  38 toggle public int getDepth1() {
1178  38 return depth1;
1179    }
 
1180  61 toggle public int getDepth2() {
1181  61 return depth2;
1182    }
 
1183  79 toggle public issrg.pba.Credentials getCreds1() {
1184  79 return creds1;
1185    }
 
1186  41 toggle public issrg.pba.Credentials getCreds2() {
1187  41 return creds2;
1188    }
1189   
 
1190  0 toggle public String toString() {
1191  0 StringBuffer ret = new StringBuffer();
1192  0 ret.append("Creds1 is: ");
1193  0 if (creds1 == null) ret.append("null "); else ret.append(creds1.toString());
1194  0 ret.append(" delegation depth1 is: "); ret.append(depth1);
1195  0 ret.append(" Creds2 is: ");
1196  0 if (creds2 == null) ret.append("null"); else ret.append(creds2.toString());
1197  0 ret.append(" delegation depth2 is: "); ret.append(depth2);
1198  0 return ret.toString();
1199    }
1200    }
1201    }