Class SharedSecret

  • All Implemented Interfaces:
    com.netscape.certsrv.authentication.ISharedToken, IExtendedPluginInfo, AuthManager

    public class SharedSecret
    extends DirBasedAuthentication
    implements com.netscape.certsrv.authentication.ISharedToken
    SharedSecret provides methods to retrieve shared secrets between users and the server. It is primarily developed to support CMC Shared Secret-based authentication for enrollment and revocation, but does not preclude usages that conform to the same mechanism and storage format.
    Author:
    cfu
    • Field Detail

      • logger

        public static org.slf4j.Logger logger
      • mRequiredCreds

        protected static java.lang.String[] mRequiredCreds
      • PROP_LDAPSTRINGATTRS

        protected static final java.lang.String PROP_LDAPSTRINGATTRS
        See Also:
        Constant Field Values
      • PROP_LDAPBYTEATTRS

        protected static final java.lang.String PROP_LDAPBYTEATTRS
        See Also:
        Constant Field Values
      • PROP_LDAP_BOUND_CONN

        protected static final java.lang.String PROP_LDAP_BOUND_CONN
        See Also:
        Constant Field Values
      • PROP_LDAP_BOUND_TAG

        protected static final java.lang.String PROP_LDAP_BOUND_TAG
        See Also:
        Constant Field Values
      • PROP_SharedToken_ATTR

        public static final java.lang.String PROP_SharedToken_ATTR
        See Also:
        Constant Field Values
      • DEF_SharedToken_ATTR

        public static final java.lang.String DEF_SharedToken_ATTR
        See Also:
        Constant Field Values
      • wrapAlgorithm

        public org.mozilla.jss.crypto.KeyWrapAlgorithm wrapAlgorithm
      • mConfigParams

        protected static java.lang.String[] mConfigParams
      • mShrTokAttr

        protected java.lang.String mShrTokAttr
      • token

        protected org.mozilla.jss.crypto.CryptoToken token
      • iv

        protected byte[] iv
    • Constructor Detail

      • SharedSecret

        public SharedSecret()
    • Method Detail

      • init

        public void init​(java.lang.String name,
                         java.lang.String implName,
                         AuthManagerConfig config)
                  throws EBaseException
        Description copied from class: DirBasedAuthentication
        Initializes the UidPwdDirBasedAuthentication auth manager. Takes the following configuration parameters:
                ldap.basedn             - the ldap base dn.
                ldap.ldapconn.host      - the ldap host.
                ldap.ldapconn.port      - the ldap port
                ldap.ldapconn.secureConn - whether port should be secure
                ldap.minConns           - minimum connections
                ldap.maxConns           - max connections
                dnpattern               - dn pattern.
         

        dnpattern is a string representing a subject name pattern to formulate from the directory attributes and entry dn. If empty or not set, the ldap entry DN will be used as the certificate subject name.

        The syntax is

             dnpattern = SubjectNameComp *[ "," SubjectNameComp ]
        
             SubjectNameComponent = DnComp | EntryComp | ConstantComp
             DnComp = CertAttr "=" "$dn" "." DnAttr "." Num
             EntryComp = CertAttr "=" "$attr" "." EntryAttr "." Num
             ConstantComp = CertAttr "=" Constant
             DnAttr    =  an attribute in the Ldap entry dn
             EntryAttr =  an attribute in the Ldap entry
             CertAttr  =  a Component in the Certificate Subject Name
                          (multiple AVA in one RDN not supported)
             Num       =  the nth value of tha attribute  in the dn or entry.
             Constant  =  Constant String, with any accepted ldap string value.
        
         

        Example:

         dnpattern:
             E=$attr.mail.1, CN=$attr.cn, OU=$attr.ou.2, O=$dn.o, C=US
         
        Ldap entry dn: UID=joesmith, OU=people, O=Acme.com
        Ldap attributes: cn: Joe Smith sn: Smith mail: joesmith@acme.com mail: joesmith@redhat.com ou: people ou: IS etc.

        The subject name formulated in the cert will be :

           E=joesmith@acme.com, CN=Joe Smith, OU=Human Resources, O=Acme.com, C=US
        
              E = the first 'mail' ldap attribute value in user's entry - joesmithe@acme.com
              CN = the (first) 'cn' ldap attribute value in the user's entry - Joe Smith
              OU = the second 'ou' value in the ldap entry - IS
              O = the (first) 'o' value in the user's entry DN - "Acme.com"
              C = the constant string "US"
         
        Specified by:
        init in interface AuthManager
        Overrides:
        init in class DirBasedAuthentication
        Parameters:
        name - The name for this authentication manager instance.
        implName - The name of the authentication manager plugin.
        config - - The configuration store for this instance.
        Throws:
        EBaseException - If an error occurs during initialization.
      • getSharedToken

        public char[] getSharedToken​(java.lang.String identification,
                                     com.netscape.certsrv.authentication.IAuthToken authToken)
                              throws EBaseException
        getSharedToken(String identification, IAuthToken authToken) provides support for id_cmc_identification shared secret based enrollment
        Specified by:
        getSharedToken in interface com.netscape.certsrv.authentication.ISharedToken
        Parameters:
        identification - maps to the uid in user's ldap record
        authToken - the IAuthToken that will be filled with the DN in user's ldap record Note: caller should clear the memory for the returned token after each use
        Throws:
        EBaseException
      • getSharedToken

        public char[] getSharedToken​(org.mozilla.jss.pkix.cmc.PKIData cmcdata)
                              throws EBaseException
        unsupported
        Specified by:
        getSharedToken in interface com.netscape.certsrv.authentication.ISharedToken
        Throws:
        EBaseException
      • getSharedToken

        public char[] getSharedToken​(java.math.BigInteger serial)
                              throws EBaseException
        getSharedToken(BigInteger serial) retrieves the shared secret data from CA's internal certificate db based on serial number to revoke shared secret based revocation Note that unlike the shared token attribute for enrollment, the metaInfo attribute for shared token in revocatoiin is not configurable. Note: caller should clear the memory for the returned token after each use
        Specified by:
        getSharedToken in interface com.netscape.certsrv.authentication.ISharedToken
        Throws:
        EBaseException
      • authenticate

        protected java.lang.String authenticate​(netscape.ldap.LDAPConnection conn,
                                                com.netscape.certsrv.authentication.IAuthCredentials authCreds,
                                                AuthToken token)
                                         throws EBaseException
        unsupported This is an unconventional authentication plugin implementation that does not support authenticate()
        Specified by:
        authenticate in class DirBasedAuthentication
        authCreds - The authentication credentials.
        Returns:
        The user's ldap entry dn.
        Throws:
        com.netscape.certsrv.authentication.EInvalidCredentials - If the uid and password are not valid
        EBaseException - If an internal error occurs.
      • getConfigParams

        public java.lang.String[] getConfigParams()
        Returns a list of configuration parameter names. The list is passed to the configuration console so instances of this implementation can be configured through the console.
        Specified by:
        getConfigParams in interface AuthManager
        Specified by:
        getConfigParams in class DirBasedAuthentication
        Returns:
        String array of configuration parameter names.