org.italiangrid.voms.util.CredentialsUtils Maven / Gradle / Ivy

Go to download
Show more of this group Show more artifacts with this name
Show all versions of voms-api-java Show documentation
Java APIs to validate and request VOMS attribute certificates
There is a newer version: 3.3.2
/**
 * Copyright (c) Istituto Nazionale di Fisica Nucleare, 2006-2014.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.italiangrid.voms.util;

import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.IOException;
import java.io.OutputStream;
import java.io.RandomAccessFile;
import java.nio.ByteBuffer;
import java.nio.channels.FileChannel;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.Arrays;

import eu.emi.security.authn.x509.X509Credential;
import eu.emi.security.authn.x509.helpers.CertificateHelpers;
import eu.emi.security.authn.x509.impl.CertificateUtils;
import eu.emi.security.authn.x509.impl.CertificateUtils.Encoding;

/**
 * An utility class for handling credentials
 * 
 * @author Daniele Andreotti
 * @author Andrea Ceccanti
 * 
 */
public class CredentialsUtils {

  /**
   * 
   * The encoding used to serialize proxy credentials private key.
   *
   */
  public enum PrivateKeyEncoding {
    PKCS_1, PKCS_8
  }

  /**
   * The default encoding used when no encoding is specified by callers.
   */
  public static final PrivateKeyEncoding DEFAULT_ENCONDING = PrivateKeyEncoding.PKCS_1;

  /**
   * Serializes a private key to an output stream according to an encoding.
   * 
   * @param os
   *          the target output stream
   * @param key
   *          the key to be serialized
   * @param encoding
   *          the encoding
   *          
   * @throws IllegalArgumentException
   *          for unsupported private key encodings
   * @throws IOException
   *          if write fails for any reason on the output stream
   */
  public static void savePrivateKey(OutputStream os, PrivateKey key,
    PrivateKeyEncoding encoding) throws IOException {

    switch (encoding) {
    case PKCS_1:
      savePrivateKeyPKCS1(os, key);
      break;
    case PKCS_8:
      savePrivateKeyPKCS8(os, key);
      break;
    default:
      throw new IllegalArgumentException("Unsupported private key encoding: "
        + encoding.name());
    }
  }

  /**
   * Serializes a private key to an output stream following the pkcs8 encoding.
   * 
   * This method just delegates to canl, but provides a much more understandable
   * signature.
   * 
   * @param os
   * @param key
   * @throws IllegalArgumentException
   * @throws IOException
   */
  private static void savePrivateKeyPKCS8(OutputStream os, PrivateKey key)
    throws IllegalArgumentException, IOException {

    CertificateUtils.savePrivateKey(os, key, Encoding.PEM, null, null);

  }

  /**
   * Serializes a private key to an output stream following the pkcs1 encoding.
   * 
   * This method just delegates to canl, but provides a much more understandable
   * signature.
   * 
   * @param os
   * @param key
   * @throws IllegalArgumentException
   * @throws IOException
   */
  private static void savePrivateKeyPKCS1(OutputStream os, PrivateKey key)
    throws IllegalArgumentException, IOException {

    CertificateUtils.savePrivateKey(os, key, Encoding.PEM, null, new char[0],
      true);

  }

  /**
   * Saves user credentials as a plain text PEM data. 

   * Writes the user certificate chain first, then the user key.
   * 
   * @param os
   *          the output stream
   * @param uc
   *          the user credential that must be serialized
   * @param encoding
   *          the private key encoding
   *                    
   *                    
   * @throws IOException
   *          in case of errors writing on the output stream
   */
  public static void saveProxyCredentials(OutputStream os, X509Credential uc,
    PrivateKeyEncoding encoding) throws IOException {

    X509Certificate[] chain = CertificateHelpers.sortChain(Arrays.asList(uc
      .getCertificateChain()));

    PrivateKey key = uc.getKey();
    X509Certificate cert = uc.getCertificate();

    CertificateUtils.saveCertificate(os, cert, Encoding.PEM);

    if (key != null)
      savePrivateKey(os, key, encoding);

    X509Certificate c = null;
    for (int index = 1; index < chain.length; index++) {

      c = chain[index];

      int basicConstraints = c.getBasicConstraints();

      // Only save non-CA certs to proxy file
      if (basicConstraints < 0){
        CertificateUtils.saveCertificate(os, c, Encoding.PEM);
      }
      
    }

    os.flush();
  }

  /**
   * 
   * Saves user credentials as a plain text PEM data. 

   * Writes the user certificate chain first, then the user key, using the
   * default encoding specified in {@link #DEFAULT_ENCONDING}.
   *
   * @param os
   *          the output stream for the saved proxy
   *          
   * @param uc
   *          the user credential
   * 
   * @throws IOException
   *          in case of errors writing to the output stream
   * 
   */
  public static void saveProxyCredentials(OutputStream os, X509Credential uc)
    throws IOException {

    saveProxyCredentials(os, uc, DEFAULT_ENCONDING);
  }

  /**
   * Saves proxy credentials to a file. This method ensures that the stored
   * proxy is saved with the appropriate file permissions.
   * 
   * @param proxyFileName
   *          the file where the proxy will be saved
   * @param uc
   *          the credential to be saved
   * @param encoding
   *          the private key encoding
   * @throws IOException
   *          in case of errors writing to the proxy file
   */
  public static void saveProxyCredentials(String proxyFileName,
    X509Credential uc, PrivateKeyEncoding encoding) 
      throws IOException {

    File f = new File(proxyFileName);
    RandomAccessFile raf = new RandomAccessFile(f, "rws");
    FileChannel channel = raf.getChannel();
    FilePermissionHelper.setProxyPermissions(proxyFileName);
    channel.truncate(0);

    ByteArrayOutputStream baos = new ByteArrayOutputStream();
    saveProxyCredentials(baos, uc, encoding);

    baos.close();
    channel.write(ByteBuffer.wrap(baos.toByteArray()));

    channel.close();
    raf.close();
  }

  /**
   * 
   * Saves proxy credentials to a file. This method ensures that the stored
   * proxy is saved with the appropriate file permissions, using the default
   * encoding specified in {@link #DEFAULT_ENCONDING}.
   * 
   * @param proxyFileName
   *         the file where the proxy will be saved
   * @param uc
   *         the credential to be saved
   *         
   * @throws IOException
   *          in case of errors writing the credential to the proxy file
   */
  public static void saveProxyCredentials(String proxyFileName,
    X509Credential uc) throws IOException {

    saveProxyCredentials(proxyFileName, uc, DEFAULT_ENCONDING);
  }
}