Package org.globus.gsi.gssapi
Class GlobusGSSContextImpl
- java.lang.Object
-
- org.globus.gsi.gssapi.GlobusGSSContextImpl
-
- All Implemented Interfaces:
ExtendedGSSContext
,GSSContext
public class GlobusGSSContextImpl extends Object implements ExtendedGSSContext
Implementation of SSL/GSI mechanism for Java GSS-API. The implementation is based on JSSE (for SSL API) and the BouncyCastle library (for certificate processing API).
The implementation is not designed to be thread-safe.
-
-
Field Summary
Fields Modifier and Type Field Description protected Boolean
acceptNoClientCerts
protected boolean
anonymity
protected BouncyCastleCertProcessingFactory
certFactory
protected Boolean
checkContextExpiration
protected boolean
conn
protected boolean
credentialDelegation
protected GlobusGSSCredentialImpl
ctxCred
Credential of this context.protected ExtendedGSSCredential
delegatedCred
Credential delegated using delegation APIprotected boolean
delegationFinished
Delegation finished indicatorprotected int
delegationState
Delegation stateprotected GSIConstants.DelegationType
delegationType
protected ExtendedGSSCredential
delegCred
Credential delegated during context establishmentprotected boolean
encryption
protected boolean
established
protected GSSName
expectedTargetName
Expected target name.protected Date
goodUntil
Context expiration date.static int
GSI_WRAP
Used to distinguish between a token created bywrap
withGSSConstants.GSI_BIG
QoP and a regular token created bywrap
.protected Integer
gssMode
protected KeyPair
keyPair
Used during delegationprotected Boolean
peerLimited
Limited peer credentialsprotected Map
proxyPolicyHandlers
protected Boolean
rejectLimitedProxy
protected Boolean
requireAuthzWithDelegation
protected Boolean
requireClientAuth
protected int
role
Context roleprotected GSSName
sourceName
The name of the context initiatorprotected SSLConfigurator
sslConfigurator
protected SSLContext
sslContext
protected SSLEngine
sslEngine
protected int
state
Handshake stateprotected GSSName
targetName
The name of the context acceptorprotected TrustedCertificates
tc
-
Fields inherited from interface org.ietf.jgss.GSSContext
DEFAULT_LIFETIME, INDEFINITE_LIFETIME
-
-
Constructor Summary
Constructors Constructor Description GlobusGSSContextImpl(GSSName target, GlobusGSSCredentialImpl cred)
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description byte[]
acceptDelegation(int lifetime, byte[] buf, int off, int len)
Accept a delegated credential.byte[]
acceptSecContext(byte[] inBuff, int off, int len)
This function drives the accepting side of the context establishment process.void
acceptSecContext(InputStream in, OutputStream out)
It works just likeacceptSecContext
method.protected void
checkContext()
void
dispose()
byte[]
export()
Currently not implemented.protected byte[]
generateCertRequest(X509Certificate cert)
boolean
getAnonymityState()
boolean
getConfState()
boolean
getCredDelegState()
GSSCredential
getDelegatedCredential()
Returns the delegated credential that was delegated using theinitDelegation
andacceptDelegation
functions.GSSCredential
getDelegCred()
boolean
getIntegState()
int
getLifetime()
Oid
getMech()
byte[]
getMIC(byte[] inBuf, int off, int len, MessageProp prop)
Returns a cryptographic MIC (message integrity check) of a specified message.void
getMIC(InputStream inStream, OutputStream outStream, MessageProp msgProp)
Currently not implemented.boolean
getMutualAuthState()
Object
getOption(Oid option)
Gets a context option.boolean
getReplayDetState()
boolean
getSequenceDetState()
GSSName
getSrcName()
GSSName
getTargName()
int
getWrapSizeLimit(int qop, boolean confReq, int maxTokenSize)
Currently not implemented.byte[]
initDelegation(GSSCredential credential, Oid mechanism, int lifetime, byte[] buf, int off, int len)
Initiate the delegation of a credential.byte[]
initSecContext(byte[] inBuff, int off, int len)
This function drives the initiating side of the context establishment process.int
initSecContext(InputStream in, OutputStream out)
It works just likeinitSecContext
method.Object
inquireByOid(Oid oid)
Retrieves arbitrary data about this context.boolean
isDelegationFinished()
Used during delegation to determine the state of the delegation.boolean
isEstablished()
boolean
isInitiator()
boolean
isProtReady()
boolean
isTransferable()
Currently not implemented.void
requestAnonymity(boolean state)
void
requestConf(boolean state)
void
requestCredDeleg(boolean state)
void
requestInteg(boolean state)
void
requestLifetime(int lifetime)
void
requestMutualAuth(boolean state)
void
requestReplayDet(boolean state)
void
requestSequenceDet(boolean state)
protected void
setAcceptNoClientCerts(Object value)
void
setBannedCiphers(String[] ciphers)
Specifies a list of ciphers that will not be used.void
setChannelBinding(ChannelBinding cb)
Currently not implemented.protected void
setCheckContextExpired(Object value)
protected void
setDelegationType(Object value)
protected void
setGssMode(Object value)
void
setOption(Oid option, Object value)
Sets a context option.protected void
setProxyPolicyHandlers(Object value)
protected void
setRejectLimitedProxy(Object value)
protected void
setRequireAuthzWithDelegation(Object value)
protected void
setRequireClientAuth(Object value)
protected void
setTrustedCertificates(Object value)
byte[]
unwrap(byte[] inBuf, int off, int len, MessageProp prop)
Unwraps a token generated bywrap
method on the other side of the context.void
unwrap(InputStream inStream, OutputStream outStream, MessageProp msgProp)
Currently not implemented.protected void
verifyDelegatedCert(X509Certificate certificate)
void
verifyMIC(byte[] inTok, int tokOff, int tokLen, byte[] inMsg, int msgOff, int msgLen, MessageProp prop)
Verifies a cryptographic MIC (message integrity check) of a specified message.void
verifyMIC(InputStream tokStream, InputStream msgStream, MessageProp msgProp)
Currently not implemented.byte[]
wrap(byte[] inBuf, int off, int len, MessageProp prop)
Wraps a message for integrity and protection.void
wrap(InputStream inStream, OutputStream outStream, MessageProp msgProp)
Currently not implemented.
-
-
-
Field Detail
-
GSI_WRAP
public static final int GSI_WRAP
Used to distinguish between a token created bywrap
withGSSConstants.GSI_BIG
QoP and a regular token created bywrap
.- See Also:
- Constant Field Values
-
state
protected int state
Handshake state
-
delegationState
protected int delegationState
Delegation state
-
delegatedCred
protected ExtendedGSSCredential delegatedCred
Credential delegated using delegation API
-
delegationFinished
protected boolean delegationFinished
Delegation finished indicator
-
credentialDelegation
protected boolean credentialDelegation
-
anonymity
protected boolean anonymity
-
encryption
protected boolean encryption
-
established
protected boolean established
-
sourceName
protected GSSName sourceName
The name of the context initiator
-
targetName
protected GSSName targetName
The name of the context acceptor
-
role
protected int role
Context role
-
delegCred
protected ExtendedGSSCredential delegCred
Credential delegated during context establishment
-
delegationType
protected GSIConstants.DelegationType delegationType
-
gssMode
protected Integer gssMode
-
checkContextExpiration
protected Boolean checkContextExpiration
-
rejectLimitedProxy
protected Boolean rejectLimitedProxy
-
requireClientAuth
protected Boolean requireClientAuth
-
acceptNoClientCerts
protected Boolean acceptNoClientCerts
-
requireAuthzWithDelegation
protected Boolean requireAuthzWithDelegation
-
ctxCred
protected GlobusGSSCredentialImpl ctxCred
Credential of this context. Might be anonymous
-
expectedTargetName
protected GSSName expectedTargetName
Expected target name. Used for authorization in initiator
-
goodUntil
protected Date goodUntil
Context expiration date.
-
sslConfigurator
protected SSLConfigurator sslConfigurator
-
sslContext
protected SSLContext sslContext
-
sslEngine
protected SSLEngine sslEngine
-
conn
protected boolean conn
-
certFactory
protected BouncyCastleCertProcessingFactory certFactory
-
keyPair
protected KeyPair keyPair
Used during delegation
-
tc
protected TrustedCertificates tc
-
proxyPolicyHandlers
protected Map proxyPolicyHandlers
-
peerLimited
protected Boolean peerLimited
Limited peer credentials
-
-
Constructor Detail
-
GlobusGSSContextImpl
public GlobusGSSContextImpl(GSSName target, GlobusGSSCredentialImpl cred) throws GSSException
- Parameters:
target
- expected target name. Can be null.cred
- credential. Cannot be null. Might be anonymous.- Throws:
GSSException
-
-
Method Detail
-
acceptSecContext
public byte[] acceptSecContext(byte[] inBuff, int off, int len) throws GSSException
This function drives the accepting side of the context establishment process. It is expected to be called in tandem with theinitSecContext
function.
The behavior of context establishment process can be modified byGSSConstants.GSS_MODE
andGSSConstants.REJECT_LIMITED_PROXY
context options. If theGSSConstants.GSS_MODE
option is set toGSIConstants.MODE_SSL
the context establishment process will be compatible with regular SSL (no credential delegation support). If the option is set toGSIConstants.MODE_GSI
credential delegation during context establishment process will be accepted. If theGSSConstants.REJECT_LIMITED_PROXY
option is enabled, a peer presenting limited proxy credential will be automatically rejected and the context establishment process will be aborted.- Specified by:
acceptSecContext
in interfaceGSSContext
- Returns:
- a byte[] containing the token to be sent to the peer. null indicates that no token is generated (needs more data)
- Throws:
GSSException
-
initSecContext
public byte[] initSecContext(byte[] inBuff, int off, int len) throws GSSException
This function drives the initiating side of the context establishment process. It is expected to be called in tandem with theacceptSecContext
function.
The behavior of context establishment process can be modified byGSSConstants.GSS_MODE
,GSSConstants.DELEGATION_TYPE
, andGSSConstants.REJECT_LIMITED_PROXY
context options. If theGSSConstants.GSS_MODE
option is set toGSIConstants.MODE_SSL
the context establishment process will be compatible with regular SSL (no credential delegation support). If the option is set toGSIConstants.GSS_MODE_GSI
credential delegation during context establishment process will performed. The delegation type to be performed can be set using theGSSConstants.DELEGATION_TYPE
context option. If theGSSConstants.REJECT_LIMITED_PROXY
option is enabled, a peer presenting limited proxy credential will be automatically rejected and the context establishment process will be aborted.- Specified by:
initSecContext
in interfaceGSSContext
- Returns:
- a byte[] containing the token to be sent to the peer. null indicates that no token is generated (needs more data).
- Throws:
GSSException
-
wrap
public byte[] wrap(byte[] inBuf, int off, int len, MessageProp prop) throws GSSException
Wraps a message for integrity and protection. A regular SSL-wrapped token is returned.- Specified by:
wrap
in interfaceGSSContext
- Throws:
GSSException
-
unwrap
public byte[] unwrap(byte[] inBuf, int off, int len, MessageProp prop) throws GSSException
Unwraps a token generated bywrap
method on the other side of the context.- Specified by:
unwrap
in interfaceGSSContext
- Throws:
GSSException
-
dispose
public void dispose() throws GSSException
- Specified by:
dispose
in interfaceGSSContext
- Throws:
GSSException
-
isEstablished
public boolean isEstablished()
- Specified by:
isEstablished
in interfaceGSSContext
-
requestCredDeleg
public void requestCredDeleg(boolean state) throws GSSException
- Specified by:
requestCredDeleg
in interfaceGSSContext
- Throws:
GSSException
-
getCredDelegState
public boolean getCredDelegState()
- Specified by:
getCredDelegState
in interfaceGSSContext
-
isInitiator
public boolean isInitiator() throws GSSException
- Specified by:
isInitiator
in interfaceGSSContext
- Throws:
GSSException
-
isProtReady
public boolean isProtReady()
- Specified by:
isProtReady
in interfaceGSSContext
-
requestLifetime
public void requestLifetime(int lifetime) throws GSSException
- Specified by:
requestLifetime
in interfaceGSSContext
- Throws:
GSSException
-
getLifetime
public int getLifetime()
- Specified by:
getLifetime
in interfaceGSSContext
-
getMech
public Oid getMech() throws GSSException
- Specified by:
getMech
in interfaceGSSContext
- Throws:
GSSException
-
getDelegCred
public GSSCredential getDelegCred() throws GSSException
- Specified by:
getDelegCred
in interfaceGSSContext
- Throws:
GSSException
-
requestConf
public void requestConf(boolean state) throws GSSException
- Specified by:
requestConf
in interfaceGSSContext
- Throws:
GSSException
-
getConfState
public boolean getConfState()
- Specified by:
getConfState
in interfaceGSSContext
-
getMIC
public byte[] getMIC(byte[] inBuf, int off, int len, MessageProp prop) throws GSSException
Returns a cryptographic MIC (message integrity check) of a specified message.- Specified by:
getMIC
in interfaceGSSContext
- Throws:
GSSException
-
verifyMIC
public void verifyMIC(byte[] inTok, int tokOff, int tokLen, byte[] inMsg, int msgOff, int msgLen, MessageProp prop) throws GSSException
Verifies a cryptographic MIC (message integrity check) of a specified message.- Specified by:
verifyMIC
in interfaceGSSContext
- Throws:
GSSException
-
initSecContext
public int initSecContext(InputStream in, OutputStream out) throws GSSException
It works just likeinitSecContext
method. It reads one SSL token from input stream, callsinitSecContext
method and writes the output token to the output stream (if any) SSL token is not read on the initial call.- Specified by:
initSecContext
in interfaceGSSContext
- Throws:
GSSException
-
acceptSecContext
public void acceptSecContext(InputStream in, OutputStream out) throws GSSException
It works just likeacceptSecContext
method. It reads one SSL token from input stream, callsacceptSecContext
method and writes the output token to the output stream (if any)- Specified by:
acceptSecContext
in interfaceGSSContext
- Throws:
GSSException
-
getSrcName
public GSSName getSrcName() throws GSSException
- Specified by:
getSrcName
in interfaceGSSContext
- Throws:
GSSException
-
getTargName
public GSSName getTargName() throws GSSException
- Specified by:
getTargName
in interfaceGSSContext
- Throws:
GSSException
-
requestInteg
public void requestInteg(boolean state) throws GSSException
- Specified by:
requestInteg
in interfaceGSSContext
- Throws:
GSSException
-
getIntegState
public boolean getIntegState()
- Specified by:
getIntegState
in interfaceGSSContext
-
requestSequenceDet
public void requestSequenceDet(boolean state) throws GSSException
- Specified by:
requestSequenceDet
in interfaceGSSContext
- Throws:
GSSException
-
getSequenceDetState
public boolean getSequenceDetState()
- Specified by:
getSequenceDetState
in interfaceGSSContext
-
requestReplayDet
public void requestReplayDet(boolean state) throws GSSException
- Specified by:
requestReplayDet
in interfaceGSSContext
- Throws:
GSSException
-
getReplayDetState
public boolean getReplayDetState()
- Specified by:
getReplayDetState
in interfaceGSSContext
-
requestAnonymity
public void requestAnonymity(boolean state) throws GSSException
- Specified by:
requestAnonymity
in interfaceGSSContext
- Throws:
GSSException
-
getAnonymityState
public boolean getAnonymityState()
- Specified by:
getAnonymityState
in interfaceGSSContext
-
requestMutualAuth
public void requestMutualAuth(boolean state) throws GSSException
- Specified by:
requestMutualAuth
in interfaceGSSContext
- Throws:
GSSException
-
getMutualAuthState
public boolean getMutualAuthState()
- Specified by:
getMutualAuthState
in interfaceGSSContext
-
generateCertRequest
protected byte[] generateCertRequest(X509Certificate cert) throws GeneralSecurityException
- Throws:
GeneralSecurityException
-
verifyDelegatedCert
protected void verifyDelegatedCert(X509Certificate certificate) throws GeneralSecurityException
- Throws:
GeneralSecurityException
-
checkContext
protected void checkContext() throws GSSException
- Throws:
GSSException
-
setGssMode
protected void setGssMode(Object value) throws GSSException
- Throws:
GSSException
-
setDelegationType
protected void setDelegationType(Object value) throws GSSException
- Throws:
GSSException
-
setCheckContextExpired
protected void setCheckContextExpired(Object value) throws GSSException
- Throws:
GSSException
-
setRejectLimitedProxy
protected void setRejectLimitedProxy(Object value) throws GSSException
- Throws:
GSSException
-
setRequireClientAuth
protected void setRequireClientAuth(Object value) throws GSSException
- Throws:
GSSException
-
setRequireAuthzWithDelegation
protected void setRequireAuthzWithDelegation(Object value) throws GSSException
- Throws:
GSSException
-
setAcceptNoClientCerts
protected void setAcceptNoClientCerts(Object value) throws GSSException
- Throws:
GSSException
-
setProxyPolicyHandlers
protected void setProxyPolicyHandlers(Object value) throws GSSException
- Throws:
GSSException
-
setTrustedCertificates
protected void setTrustedCertificates(Object value) throws GSSException
- Throws:
GSSException
-
setOption
public void setOption(Oid option, Object value) throws GSSException
Description copied from interface:ExtendedGSSContext
Sets a context option. It can be called by context initiator or acceptor but prior to the first call to initSecContext, acceptSecContext, initDelegation or acceptDelegation.- Specified by:
setOption
in interfaceExtendedGSSContext
- Parameters:
option
- option type.value
- option value.- Throws:
GSSException
- containing the following major error codes:GSSException.FAILURE
-
getOption
public Object getOption(Oid option) throws GSSException
Description copied from interface:ExtendedGSSContext
Gets a context option. It can be called by context initiator or acceptor.- Specified by:
getOption
in interfaceExtendedGSSContext
- Parameters:
option
- option type.- Returns:
- value option value. Maybe be null.
- Throws:
GSSException
- containing the following major error codes:GSSException.FAILURE
-
initDelegation
public byte[] initDelegation(GSSCredential credential, Oid mechanism, int lifetime, byte[] buf, int off, int len) throws GSSException
Initiate the delegation of a credential. This function drives the initiating side of the credential delegation process. It is expected to be called in tandem with theacceptDelegation
function.
The behavior of this function can be modified byGSSConstants.DELEGATION_TYPE
andGSSConstants.GSS_MODE
context options. TheGSSConstants.DELEGATION_TYPE
option controls delegation type to be performed. TheGSSConstants.GSS_MODE
option if set toGSIConstants.MODE_SSL
results in tokens that are not wrapped.- Specified by:
initDelegation
in interfaceExtendedGSSContext
- Parameters:
credential
- The credential to be delegated. May be null in which case the credential associated with the security context is used.mechanism
- The desired security mechanism. May be null.lifetime
- The requested period of validity (seconds) of the delegated credential.- Returns:
- A token that should be passed to
acceptDelegation
ifisDelegationFinished
returns false. May be null. - Throws:
GSSException
- containing the following major error codes:GSSException.FAILURE
-
acceptDelegation
public byte[] acceptDelegation(int lifetime, byte[] buf, int off, int len) throws GSSException
Accept a delegated credential. This function drives the accepting side of the credential delegation process. It is expected to be called in tandem with theinitDelegation
function.
The behavior of this function can be modified byGSSConstants.GSS_MODE
context option. TheGSSConstants.GSS_MODE
option if set toGSIConstants.MODE_SSL
results in tokens that are not wrapped.- Specified by:
acceptDelegation
in interfaceExtendedGSSContext
- Parameters:
lifetime
- The requested period of validity (seconds) of the delegated credential.- Returns:
- A token that should be passed to
initDelegation
ifisDelegationFinished
returns false. May be null. - Throws:
GSSException
- containing the following major error codes:GSSException.FAILURE
-
getDelegatedCredential
public GSSCredential getDelegatedCredential()
Description copied from interface:ExtendedGSSContext
Returns the delegated credential that was delegated using theinitDelegation
andacceptDelegation
functions. This is to be called on the delegation accepting side once onceisDelegationFinished
returns true.- Specified by:
getDelegatedCredential
in interfaceExtendedGSSContext
- Returns:
- The delegated credential. Might be null if credential delegation is not finished.
-
isDelegationFinished
public boolean isDelegationFinished()
Description copied from interface:ExtendedGSSContext
Used during delegation to determine the state of the delegation.- Specified by:
isDelegationFinished
in interfaceExtendedGSSContext
- Returns:
- true if delegation was completed, false otherwise.
-
inquireByOid
public Object inquireByOid(Oid oid) throws GSSException
Retrieves arbitrary data about this context. Currently supported oid:-
GSSConstants.X509_CERT_CHAIN
returns certificate chain of the peer (X509Certificate[]
).
- Specified by:
inquireByOid
in interfaceExtendedGSSContext
- Parameters:
oid
- the oid of the information desired.- Returns:
- the information desired. Might be null.
- Throws:
GSSException
- containing the following major error codes:GSSException.FAILURE
-
-
setBannedCiphers
public void setBannedCiphers(String[] ciphers)
Description copied from interface:ExtendedGSSContext
Specifies a list of ciphers that will not be used.- Specified by:
setBannedCiphers
in interfaceExtendedGSSContext
- Parameters:
ciphers
- The list of banned ciphers.
-
getWrapSizeLimit
public int getWrapSizeLimit(int qop, boolean confReq, int maxTokenSize) throws GSSException
Currently not implemented.- Specified by:
getWrapSizeLimit
in interfaceGSSContext
- Throws:
GSSException
-
wrap
public void wrap(InputStream inStream, OutputStream outStream, MessageProp msgProp) throws GSSException
Currently not implemented.- Specified by:
wrap
in interfaceGSSContext
- Throws:
GSSException
-
unwrap
public void unwrap(InputStream inStream, OutputStream outStream, MessageProp msgProp) throws GSSException
Currently not implemented.- Specified by:
unwrap
in interfaceGSSContext
- Throws:
GSSException
-
getMIC
public void getMIC(InputStream inStream, OutputStream outStream, MessageProp msgProp) throws GSSException
Currently not implemented.- Specified by:
getMIC
in interfaceGSSContext
- Throws:
GSSException
-
verifyMIC
public void verifyMIC(InputStream tokStream, InputStream msgStream, MessageProp msgProp) throws GSSException
Currently not implemented.- Specified by:
verifyMIC
in interfaceGSSContext
- Throws:
GSSException
-
setChannelBinding
public void setChannelBinding(ChannelBinding cb) throws GSSException
Currently not implemented.- Specified by:
setChannelBinding
in interfaceGSSContext
- Throws:
GSSException
-
isTransferable
public boolean isTransferable() throws GSSException
Currently not implemented.- Specified by:
isTransferable
in interfaceGSSContext
- Throws:
GSSException
-
export
public byte[] export() throws GSSException
Currently not implemented.- Specified by:
export
in interfaceGSSContext
- Throws:
GSSException
-
-