Package com.netscape.cms.authentication
Class SharedSecret
- java.lang.Object
-
- com.netscape.cms.authentication.DirBasedAuthentication
-
- com.netscape.cms.authentication.SharedSecret
-
- All Implemented Interfaces:
com.netscape.certsrv.authentication.ISharedToken
,IExtendedPluginInfo
,AuthManager
public class SharedSecret extends DirBasedAuthentication implements com.netscape.certsrv.authentication.ISharedToken
SharedSecret provides methods to retrieve shared secrets between users and the server. It is primarily developed to support CMC Shared Secret-based authentication for enrollment and revocation, but does not preclude usages that conform to the same mechanism and storage format.- Author:
- cfu
-
-
Field Summary
Fields Modifier and Type Field Description static java.lang.String
CRED_ShrTok
static java.lang.String
DEF_SharedToken_ATTR
protected byte[]
iv
static org.slf4j.Logger
logger
protected static java.lang.String[]
mConfigParams
protected static java.lang.String[]
mRequiredCreds
protected java.lang.String
mShrTokAttr
protected static java.lang.String
PROP_DNPATTERN
protected static java.lang.String
PROP_LDAP_BOUND_CONN
protected static java.lang.String
PROP_LDAP_BOUND_TAG
protected static java.lang.String
PROP_LDAPBYTEATTRS
protected static java.lang.String
PROP_LDAPSTRINGATTRS
static java.lang.String
PROP_SharedToken_ATTR
protected org.mozilla.jss.crypto.CryptoToken
token
org.mozilla.jss.crypto.KeyWrapAlgorithm
wrapAlgorithm
-
Fields inherited from class com.netscape.cms.authentication.DirBasedAuthentication
DEFAULT_DNPATTERN, mBaseDN, mBoundConnEnable, mConfig, mConnFactory, mExtendedPluginInfo, mGroupObjectClass, mGroups, mGroupsBaseDN, mGroupsEnable, mGroupUserIDName, mImplName, mLdapAttrs, mLdapByteAttrs, mLdapConfig, mLdapStringAttrs, mName, mPattern, mSearchGroupUserByUserdn, mTag, mUserIDName, PROP_GROUP_OBJECT_CLASS, PROP_GROUP_USERID_NAME, PROP_GROUPS, PROP_GROUPS_BASEDN, PROP_GROUPS_ENABLE, PROP_SEARCH_GROUP_USER_BY_USERDN, PROP_USERID_NAME, USER_DN
-
Fields inherited from interface org.dogtagpki.server.authentication.AuthManager
CRED_CERT_SERIAL_TO_REVOKE, CRED_CMC_SELF_SIGNED, CRED_CMC_SIGNING_CERT, CRED_HOST_NAME, CRED_SESSION_ID, CRED_SSL_CLIENT_CERT
-
Fields inherited from interface com.netscape.certsrv.base.IExtendedPluginInfo
HELP_TEXT, HELP_TOKEN
-
-
Constructor Summary
Constructors Constructor Description SharedSecret()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected java.lang.String
authenticate(netscape.ldap.LDAPConnection conn, com.netscape.certsrv.authentication.IAuthCredentials authCreds, AuthToken token)
unsupported This is an unconventional authentication plugin implementation that does not support authenticate()java.lang.String[]
getConfigParams()
Returns a list of configuration parameter names.java.lang.String[]
getRequiredCreds()
Returns array of required credentials for this authentication manager.char[]
getSharedToken(java.lang.String identification, com.netscape.certsrv.authentication.IAuthToken authToken)
getSharedToken(String identification, IAuthToken authToken) provides support for id_cmc_identification shared secret based enrollmentchar[]
getSharedToken(java.math.BigInteger serial)
getSharedToken(BigInteger serial) retrieves the shared secret data from CA's internal certificate db based on serial number to revoke shared secret based revocation Note that unlike the shared token attribute for enrollment, the metaInfo attribute for shared token in revocatoiin is not configurable.char[]
getSharedToken(org.mozilla.jss.pkix.cmc.PKIData cmcdata)
unsupportedvoid
init(java.lang.String name, java.lang.String implName, AuthManagerConfig config)
Initializes the UidPwdDirBasedAuthentication auth manager.void
initLdapConn(AuthManagerConfig config)
initLadapConn initializes ldap connection for shared token based CMC enrollment.-
Methods inherited from class com.netscape.cms.authentication.DirBasedAuthentication
authenticate, formCertInfo, formSubjectName, getConfigStore, getExtendedPluginInfo, getImplName, getLdapAttrs, getLdapByteAttrs, getName, init, setAuthTokenByteValue, setAuthTokenStringValue, setAuthTokenValues, shutdown
-
-
-
-
Field Detail
-
logger
public static org.slf4j.Logger logger
-
CRED_ShrTok
public static final java.lang.String CRED_ShrTok
- See Also:
- Constant Field Values
-
mRequiredCreds
protected static java.lang.String[] mRequiredCreds
-
PROP_DNPATTERN
protected static final java.lang.String PROP_DNPATTERN
- See Also:
- Constant Field Values
-
PROP_LDAPSTRINGATTRS
protected static final java.lang.String PROP_LDAPSTRINGATTRS
- See Also:
- Constant Field Values
-
PROP_LDAPBYTEATTRS
protected static final java.lang.String PROP_LDAPBYTEATTRS
- See Also:
- Constant Field Values
-
PROP_LDAP_BOUND_CONN
protected static final java.lang.String PROP_LDAP_BOUND_CONN
- See Also:
- Constant Field Values
-
PROP_LDAP_BOUND_TAG
protected static final java.lang.String PROP_LDAP_BOUND_TAG
- See Also:
- Constant Field Values
-
PROP_SharedToken_ATTR
public static final java.lang.String PROP_SharedToken_ATTR
- See Also:
- Constant Field Values
-
DEF_SharedToken_ATTR
public static final java.lang.String DEF_SharedToken_ATTR
- See Also:
- Constant Field Values
-
wrapAlgorithm
public org.mozilla.jss.crypto.KeyWrapAlgorithm wrapAlgorithm
-
mConfigParams
protected static java.lang.String[] mConfigParams
-
mShrTokAttr
protected java.lang.String mShrTokAttr
-
token
protected org.mozilla.jss.crypto.CryptoToken token
-
iv
protected byte[] iv
-
-
Method Detail
-
init
public void init(java.lang.String name, java.lang.String implName, AuthManagerConfig config) throws EBaseException
Description copied from class:DirBasedAuthentication
Initializes the UidPwdDirBasedAuthentication auth manager. Takes the following configuration parameters:
ldap.basedn - the ldap base dn. ldap.ldapconn.host - the ldap host. ldap.ldapconn.port - the ldap port ldap.ldapconn.secureConn - whether port should be secure ldap.minConns - minimum connections ldap.maxConns - max connections dnpattern - dn pattern.
dnpattern is a string representing a subject name pattern to formulate from the directory attributes and entry dn. If empty or not set, the ldap entry DN will be used as the certificate subject name.
The syntax is
dnpattern = SubjectNameComp *[ "," SubjectNameComp ] SubjectNameComponent = DnComp | EntryComp | ConstantComp DnComp = CertAttr "=" "$dn" "." DnAttr "." Num EntryComp = CertAttr "=" "$attr" "." EntryAttr "." Num ConstantComp = CertAttr "=" Constant DnAttr = an attribute in the Ldap entry dn EntryAttr = an attribute in the Ldap entry CertAttr = a Component in the Certificate Subject Name (multiple AVA in one RDN not supported) Num = the nth value of tha attribute in the dn or entry. Constant = Constant String, with any accepted ldap string value.
Example:
dnpattern: E=$attr.mail.1, CN=$attr.cn, OU=$attr.ou.2, O=$dn.o, C=US
Ldap entry dn: UID=joesmith, OU=people, O=Acme.com
Ldap attributes: cn: Joe Smith sn: Smith mail: joesmith@acme.com mail: joesmith@redhat.com ou: people ou: IS etc.The subject name formulated in the cert will be :
E=joesmith@acme.com, CN=Joe Smith, OU=Human Resources, O=Acme.com, C=US E = the first 'mail' ldap attribute value in user's entry - joesmithe@acme.com CN = the (first) 'cn' ldap attribute value in the user's entry - Joe Smith OU = the second 'ou' value in the ldap entry - IS O = the (first) 'o' value in the user's entry DN - "Acme.com" C = the constant string "US"
- Specified by:
init
in interfaceAuthManager
- Overrides:
init
in classDirBasedAuthentication
- Parameters:
name
- The name for this authentication manager instance.implName
- The name of the authentication manager plugin.config
- - The configuration store for this instance.- Throws:
EBaseException
- If an error occurs during initialization.
-
initLdapConn
public void initLdapConn(AuthManagerConfig config) throws EBaseException
initLadapConn initializes ldap connection for shared token based CMC enrollment.- Throws:
EBaseException
-
getSharedToken
public char[] getSharedToken(java.lang.String identification, com.netscape.certsrv.authentication.IAuthToken authToken) throws EBaseException
getSharedToken(String identification, IAuthToken authToken) provides support for id_cmc_identification shared secret based enrollment- Specified by:
getSharedToken
in interfacecom.netscape.certsrv.authentication.ISharedToken
- Parameters:
identification
- maps to the uid in user's ldap recordauthToken
- the IAuthToken that will be filled with the DN in user's ldap record Note: caller should clear the memory for the returned token after each use- Throws:
EBaseException
-
getSharedToken
public char[] getSharedToken(org.mozilla.jss.pkix.cmc.PKIData cmcdata) throws EBaseException
unsupported- Specified by:
getSharedToken
in interfacecom.netscape.certsrv.authentication.ISharedToken
- Throws:
EBaseException
-
getSharedToken
public char[] getSharedToken(java.math.BigInteger serial) throws EBaseException
getSharedToken(BigInteger serial) retrieves the shared secret data from CA's internal certificate db based on serial number to revoke shared secret based revocation Note that unlike the shared token attribute for enrollment, the metaInfo attribute for shared token in revocatoiin is not configurable. Note: caller should clear the memory for the returned token after each use- Specified by:
getSharedToken
in interfacecom.netscape.certsrv.authentication.ISharedToken
- Throws:
EBaseException
-
authenticate
protected java.lang.String authenticate(netscape.ldap.LDAPConnection conn, com.netscape.certsrv.authentication.IAuthCredentials authCreds, AuthToken token) throws EBaseException
unsupported This is an unconventional authentication plugin implementation that does not support authenticate()- Specified by:
authenticate
in classDirBasedAuthentication
authCreds
- The authentication credentials.- Returns:
- The user's ldap entry dn.
- Throws:
com.netscape.certsrv.authentication.EInvalidCredentials
- If the uid and password are not validEBaseException
- If an internal error occurs.
-
getConfigParams
public java.lang.String[] getConfigParams()
Returns a list of configuration parameter names. The list is passed to the configuration console so instances of this implementation can be configured through the console.- Specified by:
getConfigParams
in interfaceAuthManager
- Specified by:
getConfigParams
in classDirBasedAuthentication
- Returns:
- String array of configuration parameter names.
-
getRequiredCreds
public java.lang.String[] getRequiredCreds()
Returns array of required credentials for this authentication manager.- Specified by:
getRequiredCreds
in interfaceAuthManager
- Specified by:
getRequiredCreds
in classDirBasedAuthentication
- Returns:
- Array of required credentials.
-
-