Package com.netscape.cms.authentication
Class SharedSecret
java.lang.Object
com.netscape.cms.authentication.DirBasedAuthentication
com.netscape.cms.authentication.SharedSecret
- All Implemented Interfaces:
ISharedToken
,IExtendedPluginInfo
,AuthManager
SharedSecret provides methods to retrieve shared secrets between users and
the server. It is primarily developed to support CMC Shared Secret-based
authentication for enrollment and revocation, but does not
preclude usages that conform to the same mechanism and storage format.
- Author:
- cfu
-
Field Summary
FieldsModifier and TypeFieldDescriptionstatic final String
static final String
protected byte[]
static org.slf4j.Logger
protected static String[]
protected static String[]
protected String
protected static final String
protected static final String
protected static final String
protected static final String
protected static final String
static final String
protected org.mozilla.jss.crypto.CryptoToken
org.mozilla.jss.crypto.KeyWrapAlgorithm
Fields inherited from class com.netscape.cms.authentication.DirBasedAuthentication
DEFAULT_DNPATTERN, mBaseDN, mBoundConnEnable, mConfig, mConnFactory, mExtendedPluginInfo, mGroupObjectClass, mGroups, mGroupsBaseDN, mGroupsEnable, mGroupUserIDName, mImplName, mLdapAttrs, mLdapByteAttrs, mLdapConfig, mLdapStringAttrs, mName, mPattern, mSearchGroupUserByUserdn, mTag, mUserIDName, PROP_GROUP_OBJECT_CLASS, PROP_GROUP_USERID_NAME, PROP_GROUPS, PROP_GROUPS_BASEDN, PROP_GROUPS_ENABLE, PROP_SEARCH_GROUP_USER_BY_USERDN, PROP_USERID_NAME, USER_DN
Fields inherited from interface org.dogtagpki.server.authentication.AuthManager
CRED_CERT_SERIAL_TO_REVOKE, CRED_CMC_SELF_SIGNED, CRED_CMC_SIGNING_CERT, CRED_HOST_NAME, CRED_SESSION_ID, CRED_SSL_CLIENT_CERT
Fields inherited from interface com.netscape.certsrv.base.IExtendedPluginInfo
HELP_TEXT, HELP_TOKEN
-
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionprotected String
authenticate
(netscape.ldap.LDAPConnection conn, IAuthCredentials authCreds, AuthToken token) unsupported This is an unconventional authentication plugin implementation that does not support authenticate()String[]
Returns a list of configuration parameter names.String[]
Returns array of required credentials for this authentication manager.char[]
getSharedToken
(String identification, IAuthToken authToken) getSharedToken(String identification, IAuthToken authToken) provides support for id_cmc_identification shared secret based enrollmentchar[]
getSharedToken
(BigInteger serial) getSharedToken(BigInteger serial) retrieves the shared secret data from CA's internal certificate db based on serial number to revoke shared secret based revocation Note that unlike the shared token attribute for enrollment, the metaInfo attribute for shared token in revocatoiin is not configurable.char[]
getSharedToken
(org.mozilla.jss.pkix.cmc.PKIData cmcdata) unsupportedvoid
init
(String name, String implName, AuthManagerConfig config) Initializes the UidPwdDirBasedAuthentication auth manager.void
initLdapConn
(AuthManagerConfig config) initLadapConn initializes ldap connection for shared token based CMC enrollment.Methods inherited from class com.netscape.cms.authentication.DirBasedAuthentication
authenticate, formCertInfo, formSubjectName, getConfigStore, getExtendedPluginInfo, getImplName, getLdapAttrs, getLdapByteAttrs, getName, init, setAuthTokenByteValue, setAuthTokenStringValue, setAuthTokenValues, shutdown
-
Field Details
-
logger
public static org.slf4j.Logger logger -
CRED_ShrTok
- See Also:
-
mRequiredCreds
-
PROP_DNPATTERN
- See Also:
-
PROP_LDAPSTRINGATTRS
- See Also:
-
PROP_LDAPBYTEATTRS
- See Also:
-
PROP_LDAP_BOUND_CONN
- See Also:
-
PROP_LDAP_BOUND_TAG
- See Also:
-
wrapAlgorithm
public org.mozilla.jss.crypto.KeyWrapAlgorithm wrapAlgorithm -
mConfigParams
-
mShrTokAttr
-
token
protected org.mozilla.jss.crypto.CryptoToken token -
iv
protected byte[] iv
-
-
Constructor Details
-
SharedSecret
public SharedSecret()
-
-
Method Details
-
init
Description copied from class:DirBasedAuthentication
Initializes the UidPwdDirBasedAuthentication auth manager. Takes the following configuration parameters:
ldap.basedn - the ldap base dn. ldap.ldapconn.host - the ldap host. ldap.ldapconn.port - the ldap port ldap.ldapconn.secureConn - whether port should be secure ldap.minConns - minimum connections ldap.maxConns - max connections dnpattern - dn pattern.
dnpattern is a string representing a subject name pattern to formulate from the directory attributes and entry dn. If empty or not set, the ldap entry DN will be used as the certificate subject name.
The syntax is
dnpattern = SubjectNameComp *[ "," SubjectNameComp ] SubjectNameComponent = DnComp | EntryComp | ConstantComp DnComp = CertAttr "=" "$dn" "." DnAttr "." Num EntryComp = CertAttr "=" "$attr" "." EntryAttr "." Num ConstantComp = CertAttr "=" Constant DnAttr = an attribute in the Ldap entry dn EntryAttr = an attribute in the Ldap entry CertAttr = a Component in the Certificate Subject Name (multiple AVA in one RDN not supported) Num = the nth value of tha attribute in the dn or entry. Constant = Constant String, with any accepted ldap string value.
Example:
dnpattern: E=$attr.mail.1, CN=$attr.cn, OU=$attr.ou.2, O=$dn.o, C=US
Ldap entry dn: UID=joesmith, OU=people, O=Acme.com
Ldap attributes: cn: Joe Smith sn: Smith mail: joesmith@acme.com mail: joesmith@redhat.com ou: people ou: IS etc.The subject name formulated in the cert will be :
E=joesmith@acme.com, CN=Joe Smith, OU=Human Resources, O=Acme.com, C=US E = the first 'mail' ldap attribute value in user's entry - joesmithe@acme.com CN = the (first) 'cn' ldap attribute value in the user's entry - Joe Smith OU = the second 'ou' value in the ldap entry - IS O = the (first) 'o' value in the user's entry DN - "Acme.com" C = the constant string "US"
- Specified by:
init
in interfaceAuthManager
- Overrides:
init
in classDirBasedAuthentication
- Parameters:
name
- The name for this authentication manager instance.implName
- The name of the authentication manager plugin.config
- - The configuration store for this instance.- Throws:
EBaseException
- If an error occurs during initialization.
-
initLdapConn
initLadapConn initializes ldap connection for shared token based CMC enrollment.- Throws:
EBaseException
-
authenticate
protected String authenticate(netscape.ldap.LDAPConnection conn, IAuthCredentials authCreds, AuthToken token) throws EBaseException unsupported This is an unconventional authentication plugin implementation that does not support authenticate()- Specified by:
authenticate
in classDirBasedAuthentication
authCreds
- The authentication credentials.- Returns:
- The user's ldap entry dn.
- Throws:
EInvalidCredentials
- If the uid and password are not validEBaseException
- If an internal error occurs.
-
getConfigParams
Returns a list of configuration parameter names. The list is passed to the configuration console so instances of this implementation can be configured through the console.- Specified by:
getConfigParams
in interfaceAuthManager
- Specified by:
getConfigParams
in classDirBasedAuthentication
- Returns:
- String array of configuration parameter names.
-
getRequiredCreds
Returns array of required credentials for this authentication manager.- Specified by:
getRequiredCreds
in interfaceAuthManager
- Specified by:
getRequiredCreds
in classDirBasedAuthentication
- Returns:
- Array of required credentials.
-