Java tutorial
/* * * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information * regarding copyright ownership. The ASF licenses this file * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, * software distributed under the License is distributed on an * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY * KIND, either express or implied. See the License for the * specific language governing permissions and limitations * under the License. * */ package org.apache.airavata.gfac.bes.security; import org.apache.airavata.common.exception.ApplicationSettingsException; import org.apache.airavata.common.utils.ServerSettings; import org.apache.airavata.credential.store.credential.Credential; import org.apache.airavata.credential.store.credential.impl.certificate.CertificateCredential; import org.apache.airavata.credential.store.store.CredentialReader; import org.apache.airavata.gfac.core.GFacConstants; import org.apache.airavata.gfac.core.context.AbstractSecurityContext; import org.apache.airavata.gfac.core.GFacException; import org.apache.airavata.gfac.core.RequestData; import org.apache.airavata.gfac.bes.utils.MyProxyLogon; import org.bouncycastle.asn1.ASN1InputStream; import org.bouncycastle.asn1.x500.X500Name; import org.bouncycastle.asn1.x500.style.BCStyle; import org.bouncycastle.asn1.x509.AlgorithmIdentifier; import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import eu.emi.security.authn.x509.X509Credential; import eu.emi.security.authn.x509.helpers.CertificateHelpers; import eu.emi.security.authn.x509.helpers.proxy.X509v3CertificateBuilder; import eu.emi.security.authn.x509.impl.CertificateUtils; import eu.emi.security.authn.x509.impl.DirectoryCertChainValidator; import eu.emi.security.authn.x509.impl.KeyAndCertCredential; import eu.emi.security.authn.x509.impl.CertificateUtils.Encoding; import eu.emi.security.authn.x509.impl.X500NameUtils; import java.io.File; import java.io.FileInputStream; import java.io.IOException; import java.io.InputStream; import java.math.BigInteger; import java.security.InvalidKeyException; import java.security.KeyPair; import java.security.KeyPairGenerator; import java.security.PrivateKey; import java.security.cert.X509Certificate; import java.util.ArrayList; import java.util.Date; import java.util.List; import java.util.Random; import javax.security.auth.x500.X500Principal; /** * Handles X509 Certificate based security. */ public class X509SecurityContext extends AbstractSecurityContext { private static final long serialVersionUID = 1L; protected static final Logger log = LoggerFactory.getLogger(X509SecurityContext.class); /* * context name */ public static final String X509_SECURITY_CONTEXT = "x509.security.context"; public static final int CREDENTIAL_RENEWING_THRESH_HOLD = 10 * 90; protected static DirectoryCertChainValidator dcValidator; private X509Credential x509Credentials = null; static { try { setUpTrustedCertificatePath(); // set up directory based trust validator dcValidator = getTrustedCerts(); } catch (Exception e) { log.error(e.getLocalizedMessage(), e); } } public static void setUpTrustedCertificatePath(String trustedCertificatePath) { File file = new File(trustedCertificatePath); if (!file.exists() || !file.canRead()) { File f = new File("."); log.info("Current directory " + f.getAbsolutePath()); throw new RuntimeException("Cannot read trusted certificate path " + trustedCertificatePath); } else { System.setProperty(GFacConstants.TRUSTED_CERTIFICATE_SYSTEM_PROPERTY, file.getAbsolutePath()); } } private static void setUpTrustedCertificatePath() throws ApplicationSettingsException { String trustedCertificatePath = ServerSettings.getSetting(GFacConstants.TRUSTED_CERT_LOCATION); setUpTrustedCertificatePath(trustedCertificatePath); } /** * Gets the trusted certificate path. Trusted certificate path is stored in "X509_CERT_DIR" * system property. * @return The trusted certificate path as a string. */ public static String getTrustedCertificatePath() { return System.getProperty(GFacConstants.TRUSTED_CERTIFICATE_SYSTEM_PROPERTY); } public X509SecurityContext(CredentialReader credentialReader, RequestData requestData) { super(credentialReader, requestData); } /** * Gets X509Credentials. The process is as follows; * If credentials were queried for the first time create credentials. * 1. Try creating credentials using certificates stored in the credential store * 2. If 1 fails use user name and password to create credentials * @return x509credentials (from CANL security API) * @throws GFacException If an error occurred while creating credentials. * @throws org.apache.airavata.common.exception.ApplicationSettingsException */ public X509Credential getX509Credentials() throws GFacException, ApplicationSettingsException { if (getCredentialReader() == null) { return getDefaultCredentials(); } if (x509Credentials == null) { try { x509Credentials = getCredentialsFromStore(); } catch (Exception e) { log.error("An exception occurred while retrieving credentials from the credential store. " + "Will continue with my proxy user name and password.", e); } // If store does not have credentials try to get from user name and password if (x509Credentials == null) { x509Credentials = getDefaultCredentials(); } // if still null, throw an exception if (x509Credentials == null) { throw new GFacException("Unable to retrieve my proxy credentials to continue operation."); } } else { try { final long remainingTime = x509Credentials.getCertificate().getNotAfter().getTime() - new Date().getTime(); if (remainingTime < CREDENTIAL_RENEWING_THRESH_HOLD) { // return renewCredentials(); log.warn("Do not support credentials renewal"); } log.info("Fall back to get new default credentials"); try { x509Credentials.getCertificate().checkValidity(); } catch (Exception e) { x509Credentials = getDefaultCredentials(); } } catch (Exception e) { throw new GFacException("Unable to retrieve remaining life time from credentials.", e); } } return x509Credentials; } /** * Reads the credentials from credential store. * @return If token is found in the credential store, will return a valid credential. Else returns null. * @throws Exception If an error occurred while retrieving credentials. */ public X509Credential getCredentialsFromStore() throws Exception { if (getCredentialReader() == null) { return null; } Credential credential = getCredentialReader().getCredential(getRequestData().getGatewayId(), getRequestData().getTokenId()); if (credential != null) { if (credential instanceof CertificateCredential) { log.info("Successfully found credentials for token id - " + getRequestData().getTokenId() + " gateway id - " + getRequestData().getGatewayId()); CertificateCredential certificateCredential = (CertificateCredential) credential; X509Certificate[] certificates = certificateCredential.getCertificates(); KeyAndCertCredential keyAndCert = new KeyAndCertCredential(certificateCredential.getPrivateKey(), certificates); return keyAndCert; //return new GlobusGSSCredentialImpl(newCredential, // GSSCredential.INITIATE_AND_ACCEPT); } else { log.info("Credential type is not CertificateCredential. Cannot create mapping globus credentials. " + "Credential type - " + credential.getClass().getName()); } } else { log.info("Could not find credentials for token - " + getRequestData().getTokenId() + " and " + "gateway id - " + getRequestData().getGatewayId()); } return null; } /** * Gets the default proxy certificate. * @return Default my proxy credentials. * @throws GFacException If an error occurred while retrieving credentials. * @throws org.apache.airavata.common.exception.ApplicationSettingsException */ public X509Credential getDefaultCredentials() throws GFacException, ApplicationSettingsException { MyProxyLogon logon = new MyProxyLogon(); logon.setValidator(dcValidator); logon.setHost(getRequestData().getMyProxyServerUrl()); logon.setPort(getRequestData().getMyProxyPort()); logon.setUsername(getRequestData().getMyProxyUserName()); logon.setPassphrase(getRequestData().getMyProxyPassword().toCharArray()); logon.setLifetime(getRequestData().getMyProxyLifeTime()); try { logon.connect(); logon.logon(); logon.getCredentials(); logon.disconnect(); PrivateKey pk = logon.getPrivateKey(); return new KeyAndCertCredential(pk, new X509Certificate[] { logon.getCertificate() }); } catch (Exception e) { throw new GFacException("An error occurred while retrieving default security credentials.", e); } } private static DirectoryCertChainValidator getTrustedCerts() throws Exception { String certLocation = getTrustedCertificatePath(); List<String> trustedCert = new ArrayList<String>(); trustedCert.add(certLocation + "/*.0"); trustedCert.add(certLocation + "/*.pem"); DirectoryCertChainValidator dcValidator = new DirectoryCertChainValidator(trustedCert, Encoding.PEM, -1, 60000, null); return dcValidator; } private String getCNFromUserDN(String userDN) { return X500NameUtils.getAttributeValues(userDN, BCStyle.CN)[0]; } public KeyAndCertCredential generateShortLivedCredential(String userDN, String caCertPath, String caKeyPath, String caPwd) throws Exception { final long CredentialGoodFromOffset = 1000L * 60L * 15L; // 15 minutes // ago final long startTime = System.currentTimeMillis() - CredentialGoodFromOffset; final long endTime = startTime + 30 * 3600 * 1000; String keyLengthProp = "1024"; int keyLength = Integer.parseInt(keyLengthProp); String signatureAlgorithm = "SHA1withRSA"; KeyAndCertCredential caCred = getCACredential(caCertPath, caKeyPath, caPwd); KeyPairGenerator kpg = KeyPairGenerator.getInstance(caCred.getKey().getAlgorithm()); kpg.initialize(keyLength); KeyPair pair = kpg.generateKeyPair(); X500Principal subjectDN = new X500Principal(userDN); Random rand = new Random(); SubjectPublicKeyInfo publicKeyInfo; try { publicKeyInfo = SubjectPublicKeyInfo .getInstance(new ASN1InputStream(pair.getPublic().getEncoded()).readObject()); } catch (IOException e) { throw new InvalidKeyException( "Can not parse the public key" + "being included in the short lived certificate", e); } X500Name issuerX500Name = CertificateHelpers.toX500Name(caCred.getCertificate().getSubjectX500Principal()); X500Name subjectX500Name = CertificateHelpers.toX500Name(subjectDN); X509v3CertificateBuilder certBuilder = new X509v3CertificateBuilder(issuerX500Name, new BigInteger(20, rand), new Date(startTime), new Date(endTime), subjectX500Name, publicKeyInfo); AlgorithmIdentifier sigAlgId = X509v3CertificateBuilder.extractAlgorithmId(caCred.getCertificate()); X509Certificate certificate = certBuilder.build(caCred.getKey(), sigAlgId, signatureAlgorithm, null, null); certificate.checkValidity(new Date()); certificate.verify(caCred.getCertificate().getPublicKey()); KeyAndCertCredential result = new KeyAndCertCredential(pair.getPrivate(), new X509Certificate[] { certificate, caCred.getCertificate() }); return result; } private KeyAndCertCredential getCACredential(String caCertPath, String caKeyPath, String password) throws Exception { InputStream isKey, isCert; isKey = isCert = null; try { isKey = new FileInputStream(caKeyPath); PrivateKey pk = CertificateUtils.loadPrivateKey(isKey, Encoding.PEM, password.toCharArray()); isCert = new FileInputStream(caCertPath); X509Certificate caCert = CertificateUtils.loadCertificate(isCert, Encoding.PEM); return new KeyAndCertCredential(pk, new X509Certificate[] { caCert }); } finally { if (isKey != null) { isKey.close(); } if (isCert != null) { isCert.close(); } } } }