Class SharedSecret

java.lang.Object
com.netscape.cms.authentication.DirBasedAuthentication
com.netscape.cms.authentication.SharedSecret
All Implemented Interfaces:
ISharedToken, IExtendedPluginInfo, AuthManager

public class SharedSecret extends DirBasedAuthentication implements ISharedToken
SharedSecret provides methods to retrieve shared secrets between users and the server. It is primarily developed to support CMC Shared Secret-based authentication for enrollment and revocation, but does not preclude usages that conform to the same mechanism and storage format.
Author:
cfu
  • Field Details

    • logger

      public static org.slf4j.Logger logger
    • CRED_ShrTok

      public static final String CRED_ShrTok
      See Also:
    • mRequiredCreds

      protected static String[] mRequiredCreds
    • PROP_DNPATTERN

      protected static final String PROP_DNPATTERN
      See Also:
    • PROP_LDAPSTRINGATTRS

      protected static final String PROP_LDAPSTRINGATTRS
      See Also:
    • PROP_LDAPBYTEATTRS

      protected static final String PROP_LDAPBYTEATTRS
      See Also:
    • PROP_LDAP_BOUND_CONN

      protected static final String PROP_LDAP_BOUND_CONN
      See Also:
    • PROP_LDAP_BOUND_TAG

      protected static final String PROP_LDAP_BOUND_TAG
      See Also:
    • PROP_SharedToken_ATTR

      public static final String PROP_SharedToken_ATTR
      See Also:
    • DEF_SharedToken_ATTR

      public static final String DEF_SharedToken_ATTR
      See Also:
    • wrapAlgorithm

      public org.mozilla.jss.crypto.KeyWrapAlgorithm wrapAlgorithm
    • mConfigParams

      protected static String[] mConfigParams
    • mShrTokAttr

      protected String mShrTokAttr
    • token

      protected org.mozilla.jss.crypto.CryptoToken token
    • iv

      protected byte[] iv
  • Constructor Details

    • SharedSecret

      public SharedSecret()
  • Method Details

    • init

      public void init(String name, String implName, AuthManagerConfig config) throws EBaseException
      Description copied from class: DirBasedAuthentication
      Initializes the UidPwdDirBasedAuthentication auth manager. Takes the following configuration parameters:
              ldap.basedn             - the ldap base dn.
              ldap.ldapconn.host      - the ldap host.
              ldap.ldapconn.port      - the ldap port
              ldap.ldapconn.secureConn - whether port should be secure
              ldap.minConns           - minimum connections
              ldap.maxConns           - max connections
              dnpattern               - dn pattern.
       

      dnpattern is a string representing a subject name pattern to formulate from the directory attributes and entry dn. If empty or not set, the ldap entry DN will be used as the certificate subject name.

      The syntax is

           dnpattern = SubjectNameComp *[ "," SubjectNameComp ]
      
           SubjectNameComponent = DnComp | EntryComp | ConstantComp
           DnComp = CertAttr "=" "$dn" "." DnAttr "." Num
           EntryComp = CertAttr "=" "$attr" "." EntryAttr "." Num
           ConstantComp = CertAttr "=" Constant
           DnAttr    =  an attribute in the Ldap entry dn
           EntryAttr =  an attribute in the Ldap entry
           CertAttr  =  a Component in the Certificate Subject Name
                        (multiple AVA in one RDN not supported)
           Num       =  the nth value of tha attribute  in the dn or entry.
           Constant  =  Constant String, with any accepted ldap string value.
      
       

      Example:

       dnpattern:
           E=$attr.mail.1, CN=$attr.cn, OU=$attr.ou.2, O=$dn.o, C=US
       
      Ldap entry dn: UID=joesmith, OU=people, O=Acme.com
      Ldap attributes: cn: Joe Smith sn: Smith mail: joesmith@acme.com mail: joesmith@redhat.com ou: people ou: IS etc.

      The subject name formulated in the cert will be :

         E=joesmith@acme.com, CN=Joe Smith, OU=Human Resources, O=Acme.com, C=US
      
            E = the first 'mail' ldap attribute value in user's entry - joesmithe@acme.com
            CN = the (first) 'cn' ldap attribute value in the user's entry - Joe Smith
            OU = the second 'ou' value in the ldap entry - IS
            O = the (first) 'o' value in the user's entry DN - "Acme.com"
            C = the constant string "US"
       
      Specified by:
      init in interface AuthManager
      Overrides:
      init in class DirBasedAuthentication
      Parameters:
      name - The name for this authentication manager instance.
      implName - The name of the authentication manager plugin.
      config - - The configuration store for this instance.
      Throws:
      EBaseException - If an error occurs during initialization.
    • initLdapConn

      public void initLdapConn(AuthManagerConfig config) throws EBaseException
      initLadapConn initializes ldap connection for shared token based CMC enrollment.
      Throws:
      EBaseException
    • getSharedToken

      public char[] getSharedToken(String identification, IAuthToken authToken) throws EBaseException
      getSharedToken(String identification, IAuthToken authToken) provides support for id_cmc_identification shared secret based enrollment
      Specified by:
      getSharedToken in interface ISharedToken
      Parameters:
      identification - maps to the uid in user's ldap record
      authToken - the IAuthToken that will be filled with the DN in user's ldap record Note: caller should clear the memory for the returned token after each use
      Throws:
      EBaseException
    • getSharedToken

      public char[] getSharedToken(org.mozilla.jss.pkix.cmc.PKIData cmcdata) throws EBaseException
      unsupported
      Specified by:
      getSharedToken in interface ISharedToken
      Throws:
      EBaseException
    • getSharedToken

      public char[] getSharedToken(BigInteger serial) throws EBaseException
      getSharedToken(BigInteger serial) retrieves the shared secret data from CA's internal certificate db based on serial number to revoke shared secret based revocation Note that unlike the shared token attribute for enrollment, the metaInfo attribute for shared token in revocatoiin is not configurable. Note: caller should clear the memory for the returned token after each use
      Specified by:
      getSharedToken in interface ISharedToken
      Throws:
      EBaseException
    • authenticate

      protected String authenticate(netscape.ldap.LDAPConnection conn, IAuthCredentials authCreds, AuthToken token) throws EBaseException
      unsupported This is an unconventional authentication plugin implementation that does not support authenticate()
      Specified by:
      authenticate in class DirBasedAuthentication
      authCreds - The authentication credentials.
      Returns:
      The user's ldap entry dn.
      Throws:
      EInvalidCredentials - If the uid and password are not valid
      EBaseException - If an internal error occurs.
    • getConfigParams

      public String[] getConfigParams()
      Returns a list of configuration parameter names. The list is passed to the configuration console so instances of this implementation can be configured through the console.
      Specified by:
      getConfigParams in interface AuthManager
      Specified by:
      getConfigParams in class DirBasedAuthentication
      Returns:
      String array of configuration parameter names.
    • getRequiredCreds

      public String[] getRequiredCreds()
      Returns array of required credentials for this authentication manager.
      Specified by:
      getRequiredCreds in interface AuthManager
      Specified by:
      getRequiredCreds in class DirBasedAuthentication
      Returns:
      Array of required credentials.