Package org.globus.gsi.gssapi
Class GlobusGSSContextImpl
- java.lang.Object
-
- org.globus.gsi.gssapi.GlobusGSSContextImpl
-
- All Implemented Interfaces:
ExtendedGSSContext,GSSContext
public class GlobusGSSContextImpl extends Object implements ExtendedGSSContext
Implementation of SSL/GSI mechanism for Java GSS-API. The implementation is based on JSSE (for SSL API) and the BouncyCastle library (for certificate processing API).
The implementation is not designed to be thread-safe.
-
-
Field Summary
Fields Modifier and Type Field Description protected BooleanacceptNoClientCertsprotected booleananonymityprotected BouncyCastleCertProcessingFactorycertFactoryprotected BooleancheckContextExpirationprotected booleanconnprotected booleancredentialDelegationprotected GlobusGSSCredentialImplctxCredCredential of this context.protected ExtendedGSSCredentialdelegatedCredCredential delegated using delegation APIprotected booleandelegationFinishedDelegation finished indicatorprotected intdelegationStateDelegation stateprotected GSIConstants.DelegationTypedelegationTypeprotected ExtendedGSSCredentialdelegCredCredential delegated during context establishmentprotected booleanencryptionprotected booleanestablishedprotected GSSNameexpectedTargetNameExpected target name.protected BooleanforceSSLv3AndConstrainCipherSuitesForGramprotected DategoodUntilContext expiration date.static intGSI_WRAPUsed to distinguish between a token created bywrapwithGSSConstants.GSI_BIGQoP and a regular token created bywrap.protected IntegergssModeprotected KeyPairkeyPairUsed during delegationprotected BooleanpeerLimitedLimited peer credentialsprotected MapproxyPolicyHandlersprotected BooleanrejectLimitedProxyprotected BooleanrequireAuthzWithDelegationprotected BooleanrequireClientAuthprotected introleContext roleprotected GSSNamesourceNameThe name of the context initiatorprotected SSLConfiguratorsslConfiguratorprotected SSLContextsslContextprotected SSLEnginesslEngineprotected intstateHandshake stateprotected GSSNametargetNameThe name of the context acceptorprotected TrustedCertificatestc-
Fields inherited from interface org.ietf.jgss.GSSContext
DEFAULT_LIFETIME, INDEFINITE_LIFETIME
-
-
Constructor Summary
Constructors Constructor Description GlobusGSSContextImpl(GSSName target, GlobusGSSCredentialImpl cred)
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description byte[]acceptDelegation(int lifetime, byte[] buf, int off, int len)Accept a delegated credential.byte[]acceptSecContext(byte[] inBuff, int off, int len)This function drives the accepting side of the context establishment process.voidacceptSecContext(InputStream in, OutputStream out)It works just likeacceptSecContextmethod.protected voidcheckContext()voiddispose()byte[]export()Currently not implemented.protected byte[]generateCertRequest(X509Certificate cert)booleangetAnonymityState()booleangetConfState()booleangetCredDelegState()GSSCredentialgetDelegatedCredential()Returns the delegated credential that was delegated using theinitDelegationandacceptDelegationfunctions.GSSCredentialgetDelegCred()booleangetIntegState()intgetLifetime()OidgetMech()byte[]getMIC(byte[] inBuf, int off, int len, MessageProp prop)Returns a cryptographic MIC (message integrity check) of a specified message.voidgetMIC(InputStream inStream, OutputStream outStream, MessageProp msgProp)Currently not implemented.booleangetMutualAuthState()ObjectgetOption(Oid option)Gets a context option.booleangetReplayDetState()booleangetSequenceDetState()GSSNamegetSrcName()GSSNamegetTargName()intgetWrapSizeLimit(int qop, boolean confReq, int maxTokenSize)Currently not implemented.byte[]initDelegation(GSSCredential credential, Oid mechanism, int lifetime, byte[] buf, int off, int len)Initiate the delegation of a credential.byte[]initSecContext(byte[] inBuff, int off, int len)This function drives the initiating side of the context establishment process.intinitSecContext(InputStream in, OutputStream out)It works just likeinitSecContextmethod.ObjectinquireByOid(Oid oid)Retrieves arbitrary data about this context.booleanisDelegationFinished()Used during delegation to determine the state of the delegation.booleanisEstablished()booleanisInitiator()booleanisProtReady()booleanisTransferable()Currently not implemented.voidrequestAnonymity(boolean state)voidrequestConf(boolean state)voidrequestCredDeleg(boolean state)voidrequestInteg(boolean state)voidrequestLifetime(int lifetime)voidrequestMutualAuth(boolean state)voidrequestReplayDet(boolean state)voidrequestSequenceDet(boolean state)protected voidsetAcceptNoClientCerts(Object value)voidsetBannedCiphers(String[] ciphers)Specifies a list of ciphers that will not be used.voidsetChannelBinding(ChannelBinding cb)Currently not implemented.protected voidsetCheckContextExpired(Object value)protected voidsetDelegationType(Object value)protected voidsetForceSslV3AndConstrainCipherSuitesForGram(Object value)protected voidsetGssMode(Object value)voidsetOption(Oid option, Object value)Sets a context option.protected voidsetProxyPolicyHandlers(Object value)protected voidsetRejectLimitedProxy(Object value)protected voidsetRequireAuthzWithDelegation(Object value)protected voidsetRequireClientAuth(Object value)protected voidsetTrustedCertificates(Object value)byte[]unwrap(byte[] inBuf, int off, int len, MessageProp prop)Unwraps a token generated bywrapmethod on the other side of the context.voidunwrap(InputStream inStream, OutputStream outStream, MessageProp msgProp)Currently not implemented.protected voidverifyDelegatedCert(X509Certificate certificate)voidverifyMIC(byte[] inTok, int tokOff, int tokLen, byte[] inMsg, int msgOff, int msgLen, MessageProp prop)Verifies a cryptographic MIC (message integrity check) of a specified message.voidverifyMIC(InputStream tokStream, InputStream msgStream, MessageProp msgProp)Currently not implemented.byte[]wrap(byte[] inBuf, int off, int len, MessageProp prop)Wraps a message for integrity and protection.voidwrap(InputStream inStream, OutputStream outStream, MessageProp msgProp)Currently not implemented.
-
-
-
Field Detail
-
GSI_WRAP
public static final int GSI_WRAP
Used to distinguish between a token created bywrapwithGSSConstants.GSI_BIGQoP and a regular token created bywrap.- See Also:
- Constant Field Values
-
state
protected int state
Handshake state
-
delegationState
protected int delegationState
Delegation state
-
delegatedCred
protected ExtendedGSSCredential delegatedCred
Credential delegated using delegation API
-
delegationFinished
protected boolean delegationFinished
Delegation finished indicator
-
credentialDelegation
protected boolean credentialDelegation
-
anonymity
protected boolean anonymity
-
encryption
protected boolean encryption
-
established
protected boolean established
-
sourceName
protected GSSName sourceName
The name of the context initiator
-
targetName
protected GSSName targetName
The name of the context acceptor
-
role
protected int role
Context role
-
delegCred
protected ExtendedGSSCredential delegCred
Credential delegated during context establishment
-
delegationType
protected GSIConstants.DelegationType delegationType
-
gssMode
protected Integer gssMode
-
checkContextExpiration
protected Boolean checkContextExpiration
-
rejectLimitedProxy
protected Boolean rejectLimitedProxy
-
requireClientAuth
protected Boolean requireClientAuth
-
acceptNoClientCerts
protected Boolean acceptNoClientCerts
-
requireAuthzWithDelegation
protected Boolean requireAuthzWithDelegation
-
forceSSLv3AndConstrainCipherSuitesForGram
protected Boolean forceSSLv3AndConstrainCipherSuitesForGram
-
ctxCred
protected GlobusGSSCredentialImpl ctxCred
Credential of this context. Might be anonymous
-
expectedTargetName
protected GSSName expectedTargetName
Expected target name. Used for authorization in initiator
-
goodUntil
protected Date goodUntil
Context expiration date.
-
sslConfigurator
protected SSLConfigurator sslConfigurator
-
sslContext
protected SSLContext sslContext
-
sslEngine
protected SSLEngine sslEngine
-
conn
protected boolean conn
-
certFactory
protected BouncyCastleCertProcessingFactory certFactory
-
keyPair
protected KeyPair keyPair
Used during delegation
-
tc
protected TrustedCertificates tc
-
proxyPolicyHandlers
protected Map proxyPolicyHandlers
-
peerLimited
protected Boolean peerLimited
Limited peer credentials
-
-
Constructor Detail
-
GlobusGSSContextImpl
public GlobusGSSContextImpl(GSSName target, GlobusGSSCredentialImpl cred) throws GSSException
- Parameters:
target- expected target name. Can be null.cred- credential. Cannot be null. Might be anonymous.- Throws:
GSSException
-
-
Method Detail
-
acceptSecContext
public byte[] acceptSecContext(byte[] inBuff, int off, int len) throws GSSExceptionThis function drives the accepting side of the context establishment process. It is expected to be called in tandem with theinitSecContextfunction.
The behavior of context establishment process can be modified byGSSConstants.GSS_MODEandGSSConstants.REJECT_LIMITED_PROXYcontext options. If theGSSConstants.GSS_MODEoption is set toGSIConstants.MODE_SSLthe context establishment process will be compatible with regular SSL (no credential delegation support). If the option is set toGSIConstants.MODE_GSIcredential delegation during context establishment process will be accepted. If theGSSConstants.REJECT_LIMITED_PROXYoption is enabled, a peer presenting limited proxy credential will be automatically rejected and the context establishment process will be aborted.- Specified by:
acceptSecContextin interfaceGSSContext- Returns:
- a byte[] containing the token to be sent to the peer. null indicates that no token is generated (needs more data)
- Throws:
GSSException
-
initSecContext
public byte[] initSecContext(byte[] inBuff, int off, int len) throws GSSExceptionThis function drives the initiating side of the context establishment process. It is expected to be called in tandem with theacceptSecContextfunction.
The behavior of context establishment process can be modified byGSSConstants.GSS_MODE,GSSConstants.DELEGATION_TYPE, andGSSConstants.REJECT_LIMITED_PROXYcontext options. If theGSSConstants.GSS_MODEoption is set toGSIConstants.MODE_SSLthe context establishment process will be compatible with regular SSL (no credential delegation support). If the option is set toGSIConstants.GSS_MODE_GSIcredential delegation during context establishment process will performed. The delegation type to be performed can be set using theGSSConstants.DELEGATION_TYPEcontext option. If theGSSConstants.REJECT_LIMITED_PROXYoption is enabled, a peer presenting limited proxy credential will be automatically rejected and the context establishment process will be aborted.- Specified by:
initSecContextin interfaceGSSContext- Returns:
- a byte[] containing the token to be sent to the peer. null indicates that no token is generated (needs more data).
- Throws:
GSSException
-
wrap
public byte[] wrap(byte[] inBuf, int off, int len, MessageProp prop) throws GSSExceptionWraps a message for integrity and protection. A regular SSL-wrapped token is returned.- Specified by:
wrapin interfaceGSSContext- Throws:
GSSException
-
unwrap
public byte[] unwrap(byte[] inBuf, int off, int len, MessageProp prop) throws GSSExceptionUnwraps a token generated bywrapmethod on the other side of the context.- Specified by:
unwrapin interfaceGSSContext- Throws:
GSSException
-
dispose
public void dispose() throws GSSException- Specified by:
disposein interfaceGSSContext- Throws:
GSSException
-
isEstablished
public boolean isEstablished()
- Specified by:
isEstablishedin interfaceGSSContext
-
requestCredDeleg
public void requestCredDeleg(boolean state) throws GSSException- Specified by:
requestCredDelegin interfaceGSSContext- Throws:
GSSException
-
getCredDelegState
public boolean getCredDelegState()
- Specified by:
getCredDelegStatein interfaceGSSContext
-
isInitiator
public boolean isInitiator() throws GSSException- Specified by:
isInitiatorin interfaceGSSContext- Throws:
GSSException
-
isProtReady
public boolean isProtReady()
- Specified by:
isProtReadyin interfaceGSSContext
-
requestLifetime
public void requestLifetime(int lifetime) throws GSSException- Specified by:
requestLifetimein interfaceGSSContext- Throws:
GSSException
-
getLifetime
public int getLifetime()
- Specified by:
getLifetimein interfaceGSSContext
-
getMech
public Oid getMech() throws GSSException
- Specified by:
getMechin interfaceGSSContext- Throws:
GSSException
-
getDelegCred
public GSSCredential getDelegCred() throws GSSException
- Specified by:
getDelegCredin interfaceGSSContext- Throws:
GSSException
-
requestConf
public void requestConf(boolean state) throws GSSException- Specified by:
requestConfin interfaceGSSContext- Throws:
GSSException
-
getConfState
public boolean getConfState()
- Specified by:
getConfStatein interfaceGSSContext
-
getMIC
public byte[] getMIC(byte[] inBuf, int off, int len, MessageProp prop) throws GSSExceptionReturns a cryptographic MIC (message integrity check) of a specified message.- Specified by:
getMICin interfaceGSSContext- Throws:
GSSException
-
verifyMIC
public void verifyMIC(byte[] inTok, int tokOff, int tokLen, byte[] inMsg, int msgOff, int msgLen, MessageProp prop) throws GSSExceptionVerifies a cryptographic MIC (message integrity check) of a specified message.- Specified by:
verifyMICin interfaceGSSContext- Throws:
GSSException
-
initSecContext
public int initSecContext(InputStream in, OutputStream out) throws GSSException
It works just likeinitSecContextmethod. It reads one SSL token from input stream, callsinitSecContextmethod and writes the output token to the output stream (if any) SSL token is not read on the initial call.- Specified by:
initSecContextin interfaceGSSContext- Throws:
GSSException
-
acceptSecContext
public void acceptSecContext(InputStream in, OutputStream out) throws GSSException
It works just likeacceptSecContextmethod. It reads one SSL token from input stream, callsacceptSecContextmethod and writes the output token to the output stream (if any)- Specified by:
acceptSecContextin interfaceGSSContext- Throws:
GSSException
-
getSrcName
public GSSName getSrcName() throws GSSException
- Specified by:
getSrcNamein interfaceGSSContext- Throws:
GSSException
-
getTargName
public GSSName getTargName() throws GSSException
- Specified by:
getTargNamein interfaceGSSContext- Throws:
GSSException
-
requestInteg
public void requestInteg(boolean state) throws GSSException- Specified by:
requestIntegin interfaceGSSContext- Throws:
GSSException
-
getIntegState
public boolean getIntegState()
- Specified by:
getIntegStatein interfaceGSSContext
-
requestSequenceDet
public void requestSequenceDet(boolean state) throws GSSException- Specified by:
requestSequenceDetin interfaceGSSContext- Throws:
GSSException
-
getSequenceDetState
public boolean getSequenceDetState()
- Specified by:
getSequenceDetStatein interfaceGSSContext
-
requestReplayDet
public void requestReplayDet(boolean state) throws GSSException- Specified by:
requestReplayDetin interfaceGSSContext- Throws:
GSSException
-
getReplayDetState
public boolean getReplayDetState()
- Specified by:
getReplayDetStatein interfaceGSSContext
-
requestAnonymity
public void requestAnonymity(boolean state) throws GSSException- Specified by:
requestAnonymityin interfaceGSSContext- Throws:
GSSException
-
getAnonymityState
public boolean getAnonymityState()
- Specified by:
getAnonymityStatein interfaceGSSContext
-
requestMutualAuth
public void requestMutualAuth(boolean state) throws GSSException- Specified by:
requestMutualAuthin interfaceGSSContext- Throws:
GSSException
-
getMutualAuthState
public boolean getMutualAuthState()
- Specified by:
getMutualAuthStatein interfaceGSSContext
-
generateCertRequest
protected byte[] generateCertRequest(X509Certificate cert) throws GeneralSecurityException
- Throws:
GeneralSecurityException
-
verifyDelegatedCert
protected void verifyDelegatedCert(X509Certificate certificate) throws GeneralSecurityException
- Throws:
GeneralSecurityException
-
checkContext
protected void checkContext() throws GSSException- Throws:
GSSException
-
setGssMode
protected void setGssMode(Object value) throws GSSException
- Throws:
GSSException
-
setDelegationType
protected void setDelegationType(Object value) throws GSSException
- Throws:
GSSException
-
setCheckContextExpired
protected void setCheckContextExpired(Object value) throws GSSException
- Throws:
GSSException
-
setRejectLimitedProxy
protected void setRejectLimitedProxy(Object value) throws GSSException
- Throws:
GSSException
-
setRequireClientAuth
protected void setRequireClientAuth(Object value) throws GSSException
- Throws:
GSSException
-
setRequireAuthzWithDelegation
protected void setRequireAuthzWithDelegation(Object value) throws GSSException
- Throws:
GSSException
-
setAcceptNoClientCerts
protected void setAcceptNoClientCerts(Object value) throws GSSException
- Throws:
GSSException
-
setForceSslV3AndConstrainCipherSuitesForGram
protected void setForceSslV3AndConstrainCipherSuitesForGram(Object value) throws GSSException
- Throws:
GSSException
-
setProxyPolicyHandlers
protected void setProxyPolicyHandlers(Object value) throws GSSException
- Throws:
GSSException
-
setTrustedCertificates
protected void setTrustedCertificates(Object value) throws GSSException
- Throws:
GSSException
-
setOption
public void setOption(Oid option, Object value) throws GSSException
Description copied from interface:ExtendedGSSContextSets a context option. It can be called by context initiator or acceptor but prior to the first call to initSecContext, acceptSecContext, initDelegation or acceptDelegation.- Specified by:
setOptionin interfaceExtendedGSSContext- Parameters:
option- option type.value- option value.- Throws:
GSSException- containing the following major error codes:GSSException.FAILURE
-
getOption
public Object getOption(Oid option) throws GSSException
Description copied from interface:ExtendedGSSContextGets a context option. It can be called by context initiator or acceptor.- Specified by:
getOptionin interfaceExtendedGSSContext- Parameters:
option- option type.- Returns:
- value option value. Maybe be null.
- Throws:
GSSException- containing the following major error codes:GSSException.FAILURE
-
initDelegation
public byte[] initDelegation(GSSCredential credential, Oid mechanism, int lifetime, byte[] buf, int off, int len) throws GSSException
Initiate the delegation of a credential. This function drives the initiating side of the credential delegation process. It is expected to be called in tandem with theacceptDelegationfunction.
The behavior of this function can be modified byGSSConstants.DELEGATION_TYPEandGSSConstants.GSS_MODEcontext options. TheGSSConstants.DELEGATION_TYPEoption controls delegation type to be performed. TheGSSConstants.GSS_MODEoption if set toGSIConstants.MODE_SSLresults in tokens that are not wrapped.- Specified by:
initDelegationin interfaceExtendedGSSContext- Parameters:
credential- The credential to be delegated. May be null in which case the credential associated with the security context is used.mechanism- The desired security mechanism. May be null.lifetime- The requested period of validity (seconds) of the delegated credential.- Returns:
- A token that should be passed to
acceptDelegationifisDelegationFinishedreturns false. May be null. - Throws:
GSSException- containing the following major error codes:GSSException.FAILURE
-
acceptDelegation
public byte[] acceptDelegation(int lifetime, byte[] buf, int off, int len) throws GSSExceptionAccept a delegated credential. This function drives the accepting side of the credential delegation process. It is expected to be called in tandem with theinitDelegationfunction.
The behavior of this function can be modified byGSSConstants.GSS_MODEcontext option. TheGSSConstants.GSS_MODEoption if set toGSIConstants.MODE_SSLresults in tokens that are not wrapped.- Specified by:
acceptDelegationin interfaceExtendedGSSContext- Parameters:
lifetime- The requested period of validity (seconds) of the delegated credential.- Returns:
- A token that should be passed to
initDelegationifisDelegationFinishedreturns false. May be null. - Throws:
GSSException- containing the following major error codes:GSSException.FAILURE
-
getDelegatedCredential
public GSSCredential getDelegatedCredential()
Description copied from interface:ExtendedGSSContextReturns the delegated credential that was delegated using theinitDelegationandacceptDelegationfunctions. This is to be called on the delegation accepting side once onceisDelegationFinishedreturns true.- Specified by:
getDelegatedCredentialin interfaceExtendedGSSContext- Returns:
- The delegated credential. Might be null if credential delegation is not finished.
-
isDelegationFinished
public boolean isDelegationFinished()
Description copied from interface:ExtendedGSSContextUsed during delegation to determine the state of the delegation.- Specified by:
isDelegationFinishedin interfaceExtendedGSSContext- Returns:
- true if delegation was completed, false otherwise.
-
inquireByOid
public Object inquireByOid(Oid oid) throws GSSException
Retrieves arbitrary data about this context. Currently supported oid:-
GSSConstants.X509_CERT_CHAINreturns certificate chain of the peer (X509Certificate[]).
- Specified by:
inquireByOidin interfaceExtendedGSSContext- Parameters:
oid- the oid of the information desired.- Returns:
- the information desired. Might be null.
- Throws:
GSSException- containing the following major error codes:GSSException.FAILURE
-
-
setBannedCiphers
public void setBannedCiphers(String[] ciphers)
Description copied from interface:ExtendedGSSContextSpecifies a list of ciphers that will not be used.- Specified by:
setBannedCiphersin interfaceExtendedGSSContext- Parameters:
ciphers- The list of banned ciphers.
-
getWrapSizeLimit
public int getWrapSizeLimit(int qop, boolean confReq, int maxTokenSize) throws GSSExceptionCurrently not implemented.- Specified by:
getWrapSizeLimitin interfaceGSSContext- Throws:
GSSException
-
wrap
public void wrap(InputStream inStream, OutputStream outStream, MessageProp msgProp) throws GSSException
Currently not implemented.- Specified by:
wrapin interfaceGSSContext- Throws:
GSSException
-
unwrap
public void unwrap(InputStream inStream, OutputStream outStream, MessageProp msgProp) throws GSSException
Currently not implemented.- Specified by:
unwrapin interfaceGSSContext- Throws:
GSSException
-
getMIC
public void getMIC(InputStream inStream, OutputStream outStream, MessageProp msgProp) throws GSSException
Currently not implemented.- Specified by:
getMICin interfaceGSSContext- Throws:
GSSException
-
verifyMIC
public void verifyMIC(InputStream tokStream, InputStream msgStream, MessageProp msgProp) throws GSSException
Currently not implemented.- Specified by:
verifyMICin interfaceGSSContext- Throws:
GSSException
-
setChannelBinding
public void setChannelBinding(ChannelBinding cb) throws GSSException
Currently not implemented.- Specified by:
setChannelBindingin interfaceGSSContext- Throws:
GSSException
-
isTransferable
public boolean isTransferable() throws GSSExceptionCurrently not implemented.- Specified by:
isTransferablein interfaceGSSContext- Throws:
GSSException
-
export
public byte[] export() throws GSSExceptionCurrently not implemented.- Specified by:
exportin interfaceGSSContext- Throws:
GSSException
-
-