Class GlobusGSSContextImpl
java.lang.Object
org.globus.gsi.gssapi.GlobusGSSContextImpl
- All Implemented Interfaces:
ExtendedGSSContext, GSSContext
Implementation of SSL/GSI mechanism for Java GSS-API. The implementation
is based on JSSE (for SSL API) and the
BouncyCastle library
(for certificate processing API).
The implementation is not designed to be thread-safe.
The implementation is not designed to be thread-safe.
-
Field Summary
FieldsModifier and TypeFieldDescriptionprivate static final intprotected Booleanprotected booleanprivate String[]protected BouncyCastleCertProcessingFactoryprotected Booleanprivate static final intprivate static final intprotected booleanprotected booleanprotected GlobusGSSCredentialImplCredential of this context.protected ExtendedGSSCredentialCredential delegated using delegation APIprivate static final intprivate static final intprivate static final intprivate static final byte[]protected booleanDelegation finished indicatorprotected intDelegation stateprotected GSIConstants.DelegationTypeprotected ExtendedGSSCredentialCredential delegated during context establishmentprotected booleanprotected booleanprotected GSSNameExpected target name.protected DateContext expiration date.private static final intprivate static final intSSL3_RT_GSSAPI_OPENSSLstatic final intUsed to distinguish between a token created bywrapwithGSSConstants.GSI_BIGQoP and a regular token created bywrap.protected Integerprivate static final intprivate static I18nprivate static final intprotected KeyPairUsed during delegationprivate KeyPairCacheKeyPair generation with cache of keypairs if configuredprivate static org.apache.commons.logging.Logprivate static final String[]private ByteBufferprotected BooleanLimited peer credentialsprotected Mapprotected Booleanprotected Booleanprotected Booleanprotected intContext roleprivate byte[]private static final intprivate static final intprotected GSSNameThe name of the context initiatorprotected SSLConfiguratorprotected SSLContextprotected SSLEngineprotected intHandshake stateprotected GSSNameThe name of the context acceptorprotected TrustedCertificatesprivate static final intFields inherited from interface GSSContext
DEFAULT_LIFETIME, INDEFINITE_LIFETIME -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionbyte[]acceptDelegation(int lifetime, byte[] buf, int off, int len) Accept a delegated credential.byte[]acceptSecContext(byte[] inBuff, int off, int len) This function drives the accepting side of the context establishment process.voidacceptSecContext(InputStream in, OutputStream out) It works just likeacceptSecContextmethod.private X509CertificatebcConvert(X509Certificate cert) protected voidvoiddispose()byte[]export()Currently not implemented.protected byte[]booleanbooleanbooleanReturns the delegated credential that was delegated using theinitDelegationandacceptDelegationfunctions.booleanintgetMech()byte[]getMIC(byte[] inBuf, int off, int len, MessageProp prop) Returns a cryptographic MIC (message integrity check) of a specified message.voidgetMIC(InputStream inStream, OutputStream outStream, MessageProp msgProp) Currently not implemented.booleanGets a context option.booleanbooleanintgetWrapSizeLimit(int qop, boolean confReq, int maxTokenSize) Currently not implemented.private voidprivate voidinit(int how) byte[]initDelegation(GSSCredential credential, Oid mechanism, int lifetime, byte[] buf, int off, int len) Initiate the delegation of a credential.byte[]initSecContext(byte[] inBuff, int off, int len) This function drives the initiating side of the context establishment process.intinitSecContext(InputStream in, OutputStream out) It works just likeinitSecContextmethod.inquireByOid(Oid oid) Retrieves arbitrary data about this context.booleanUsed during delegation to determine the state of the delegation.booleanbooleanbooleanbooleanCurrently not implemented.voidrequestAnonymity(boolean state) voidrequestConf(boolean state) voidrequestCredDeleg(boolean state) voidrequestInteg(boolean state) voidrequestLifetime(int lifetime) voidrequestMutualAuth(boolean state) voidrequestReplayDet(boolean state) voidrequestSequenceDet(boolean state) private voidrunDelegatedTasks(SSLEngine engine) protected voidsetAcceptNoClientCerts(Object value) voidsetBannedCiphers(String[] ciphers) Specifies a list of ciphers that will not be used.voidCurrently not implemented.protected voidsetCheckContextExpired(Object value) private voidprotected voidsetDelegationType(Object value) private voidsetDone()private voidsetGoodUntil(Date date) protected voidsetGssMode(Object value) voidSets a context option.protected voidsetProxyPolicyHandlers(Object value) protected voidsetRejectLimitedProxy(Object value) protected voidprotected voidsetRequireClientAuth(Object value) protected voidsetTrustedCertificates(Object value) private ByteBuffersslDataUnwrap(ByteBuffer inBBuff, ByteBuffer outBBuff) private ByteBuffersslDataWrap(ByteBuffer inBBuff, ByteBuffer outBBuff) private ByteBuffersslProcessHandshake(ByteBuffer inBBuff, ByteBuffer outBBuff) private byte[]unwrap(byte[] inBuf, int off, int len) byte[]unwrap(byte[] inBuf, int off, int len, MessageProp prop) Unwraps a token generated bywrapmethod on the other side of the context.voidunwrap(InputStream inStream, OutputStream outStream, MessageProp msgProp) Currently not implemented.protected voidverifyDelegatedCert(X509Certificate certificate) voidverifyMIC(byte[] inTok, int tokOff, int tokLen, byte[] inMsg, int msgOff, int msgLen, MessageProp prop) Verifies a cryptographic MIC (message integrity check) of a specified message.voidverifyMIC(InputStream tokStream, InputStream msgStream, MessageProp msgProp) Currently not implemented.private byte[]wrap(byte[] inBuf, int off, int len) byte[]wrap(byte[] inBuf, int off, int len, MessageProp prop) Wraps a message for integrity and protection.voidwrap(InputStream inStream, OutputStream outStream, MessageProp msgProp) Currently not implemented.
-
Field Details
-
logger
private static org.apache.commons.logging.Log logger -
i18n
-
keyPairCache
KeyPair generation with cache of keypairs if configured -
GSI_WRAP
public static final int GSI_WRAPUsed to distinguish between a token created bywrapwithGSSConstants.GSI_BIGQoP and a regular token created bywrap.- See Also:
-
GSI_SEQUENCE_SIZE
private static final int GSI_SEQUENCE_SIZESSL3_RT_GSSAPI_OPENSSL- See Also:
-
GSI_MESSAGE_DIGEST_PADDING
private static final int GSI_MESSAGE_DIGEST_PADDING- See Also:
-
NO_ENCRYPTION
-
DELEGATION_TOKEN
private static final byte[] DELEGATION_TOKEN -
UNDEFINED
private static final int UNDEFINED- See Also:
-
INITIATE
private static final int INITIATE- See Also:
-
ACCEPT
private static final int ACCEPT- See Also:
-
state
protected int stateHandshake state -
HANDSHAKE
private static final int HANDSHAKE- See Also:
-
CLIENT_START_DEL
private static final int CLIENT_START_DEL- See Also:
-
CLIENT_END_DEL
private static final int CLIENT_END_DEL- See Also:
-
SERVER_START_DEL
private static final int SERVER_START_DEL- See Also:
-
SERVER_END_DEL
private static final int SERVER_END_DEL- See Also:
-
delegationState
protected int delegationStateDelegation state -
DELEGATION_START
private static final int DELEGATION_START- See Also:
-
DELEGATION_SIGN_CERT
private static final int DELEGATION_SIGN_CERT- See Also:
-
DELEGATION_COMPLETE_CRED
private static final int DELEGATION_COMPLETE_CRED- See Also:
-
delegatedCred
Credential delegated using delegation API -
delegationFinished
protected boolean delegationFinishedDelegation finished indicator -
credentialDelegation
protected boolean credentialDelegation -
anonymity
protected boolean anonymity -
encryption
protected boolean encryption -
established
protected boolean established -
sourceName
The name of the context initiator -
targetName
The name of the context acceptor -
role
protected int roleContext role -
delegCred
Credential delegated during context establishment -
delegationType
-
gssMode
-
checkContextExpiration
-
rejectLimitedProxy
-
requireClientAuth
-
acceptNoClientCerts
-
requireAuthzWithDelegation
-
ctxCred
Credential of this context. Might be anonymous -
expectedTargetName
Expected target name. Used for authorization in initiator -
goodUntil
Context expiration date. -
sslConfigurator
-
sslContext
-
sslEngine
-
conn
protected boolean conn -
savedInBytes
private byte[] savedInBytes -
outByteBuff
-
certFactory
-
keyPair
Used during delegation -
tc
-
proxyPolicyHandlers
-
peerLimited
Limited peer credentials -
bannedCiphers
-
-
Constructor Details
-
GlobusGSSContextImpl
- Parameters:
target- expected target name. Can be null.cred- credential. Cannot be null. Might be anonymous.- Throws:
GSSException
-
-
Method Details
-
runDelegatedTasks
-
bcConvert
- Throws:
GSSException
-
acceptSecContext
This function drives the accepting side of the context establishment process. It is expected to be called in tandem with theinitSecContextfunction.
The behavior of context establishment process can be modified byGSSConstants.GSS_MODEandGSSConstants.REJECT_LIMITED_PROXYcontext options. If theGSSConstants.GSS_MODEoption is set toGSIConstants.MODE_SSLthe context establishment process will be compatible with regular SSL (no credential delegation support). If the option is set toGSIConstants.MODE_GSIcredential delegation during context establishment process will be accepted. If theGSSConstants.REJECT_LIMITED_PROXYoption is enabled, a peer presenting limited proxy credential will be automatically rejected and the context establishment process will be aborted.- Specified by:
acceptSecContextin interfaceGSSContext- Returns:
- a byte[] containing the token to be sent to the peer. null indicates that no token is generated (needs more data)
- Throws:
GSSException
-
sslDataWrap
- Throws:
GSSException
-
sslDataUnwrap
- Throws:
GSSException
-
sslProcessHandshake
- Throws:
GSSException
-
initSecContext
This function drives the initiating side of the context establishment process. It is expected to be called in tandem with theacceptSecContextfunction.
The behavior of context establishment process can be modified byGSSConstants.GSS_MODE,GSSConstants.DELEGATION_TYPE, andGSSConstants.REJECT_LIMITED_PROXYcontext options. If theGSSConstants.GSS_MODEoption is set toGSIConstants.MODE_SSLthe context establishment process will be compatible with regular SSL (no credential delegation support). If the option is set toGSIConstants.GSS_MODE_GSIcredential delegation during context establishment process will performed. The delegation type to be performed can be set using theGSSConstants.DELEGATION_TYPEcontext option. If theGSSConstants.REJECT_LIMITED_PROXYoption is enabled, a peer presenting limited proxy credential will be automatically rejected and the context establishment process will be aborted.- Specified by:
initSecContextin interfaceGSSContext- Returns:
- a byte[] containing the token to be sent to the peer. null indicates that no token is generated (needs more data).
- Throws:
GSSException
-
setDone
private void setDone() -
setGoodUntil
-
init
- Throws:
GSSExceptionSSLException
-
handshakeFinished
- Throws:
IOException
-
setCredential
- Throws:
GSSException
-
wrap
Wraps a message for integrity and protection. A regular SSL-wrapped token is returned.- Specified by:
wrapin interfaceGSSContext- Throws:
GSSException
-
wrap
- Throws:
GSSException
-
unwrap
Unwraps a token generated bywrapmethod on the other side of the context.- Specified by:
unwrapin interfaceGSSContext- Throws:
GSSException
-
unwrap
- Throws:
GSSException
-
dispose
- Specified by:
disposein interfaceGSSContext- Throws:
GSSException
-
isEstablished
public boolean isEstablished()- Specified by:
isEstablishedin interfaceGSSContext
-
requestCredDeleg
- Specified by:
requestCredDelegin interfaceGSSContext- Throws:
GSSException
-
getCredDelegState
public boolean getCredDelegState()- Specified by:
getCredDelegStatein interfaceGSSContext
-
isInitiator
- Specified by:
isInitiatorin interfaceGSSContext- Throws:
GSSException
-
isProtReady
public boolean isProtReady()- Specified by:
isProtReadyin interfaceGSSContext
-
requestLifetime
- Specified by:
requestLifetimein interfaceGSSContext- Throws:
GSSException
-
getLifetime
public int getLifetime()- Specified by:
getLifetimein interfaceGSSContext
-
getMech
- Specified by:
getMechin interfaceGSSContext- Throws:
GSSException
-
getDelegCred
- Specified by:
getDelegCredin interfaceGSSContext- Throws:
GSSException
-
requestConf
- Specified by:
requestConfin interfaceGSSContext- Throws:
GSSException
-
getConfState
public boolean getConfState()- Specified by:
getConfStatein interfaceGSSContext
-
getMIC
Returns a cryptographic MIC (message integrity check) of a specified message.- Specified by:
getMICin interfaceGSSContext- Throws:
GSSException
-
verifyMIC
public void verifyMIC(byte[] inTok, int tokOff, int tokLen, byte[] inMsg, int msgOff, int msgLen, MessageProp prop) throws GSSException Verifies a cryptographic MIC (message integrity check) of a specified message.- Specified by:
verifyMICin interfaceGSSContext- Throws:
GSSException
-
initSecContext
It works just likeinitSecContextmethod. It reads one SSL token from input stream, callsinitSecContextmethod and writes the output token to the output stream (if any) SSL token is not read on the initial call.- Specified by:
initSecContextin interfaceGSSContext- Throws:
GSSException
-
acceptSecContext
It works just likeacceptSecContextmethod. It reads one SSL token from input stream, callsacceptSecContextmethod and writes the output token to the output stream (if any)- Specified by:
acceptSecContextin interfaceGSSContext- Throws:
GSSException
-
getSrcName
- Specified by:
getSrcNamein interfaceGSSContext- Throws:
GSSException
-
getTargName
- Specified by:
getTargNamein interfaceGSSContext- Throws:
GSSException
-
requestInteg
- Specified by:
requestIntegin interfaceGSSContext- Throws:
GSSException
-
getIntegState
public boolean getIntegState()- Specified by:
getIntegStatein interfaceGSSContext
-
requestSequenceDet
- Specified by:
requestSequenceDetin interfaceGSSContext- Throws:
GSSException
-
getSequenceDetState
public boolean getSequenceDetState()- Specified by:
getSequenceDetStatein interfaceGSSContext
-
requestReplayDet
- Specified by:
requestReplayDetin interfaceGSSContext- Throws:
GSSException
-
getReplayDetState
public boolean getReplayDetState()- Specified by:
getReplayDetStatein interfaceGSSContext
-
requestAnonymity
- Specified by:
requestAnonymityin interfaceGSSContext- Throws:
GSSException
-
getAnonymityState
public boolean getAnonymityState()- Specified by:
getAnonymityStatein interfaceGSSContext
-
requestMutualAuth
- Specified by:
requestMutualAuthin interfaceGSSContext- Throws:
GSSException
-
getMutualAuthState
public boolean getMutualAuthState()- Specified by:
getMutualAuthStatein interfaceGSSContext
-
generateCertRequest
- Throws:
GeneralSecurityException
-
verifyDelegatedCert
- Throws:
GeneralSecurityException
-
checkContext
- Throws:
GSSException
-
setGssMode
- Throws:
GSSException
-
setDelegationType
- Throws:
GSSException
-
setCheckContextExpired
- Throws:
GSSException
-
setRejectLimitedProxy
- Throws:
GSSException
-
setRequireClientAuth
- Throws:
GSSException
-
setRequireAuthzWithDelegation
- Throws:
GSSException
-
setAcceptNoClientCerts
- Throws:
GSSException
-
setProxyPolicyHandlers
- Throws:
GSSException
-
setTrustedCertificates
- Throws:
GSSException
-
setOption
Description copied from interface:ExtendedGSSContextSets a context option. It can be called by context initiator or acceptor but prior to the first call to initSecContext, acceptSecContext, initDelegation or acceptDelegation.- Specified by:
setOptionin interfaceExtendedGSSContext- Parameters:
option- option type.value- option value.- Throws:
GSSException- containing the following major error codes:GSSException.FAILURE
-
getOption
Description copied from interface:ExtendedGSSContextGets a context option. It can be called by context initiator or acceptor.- Specified by:
getOptionin interfaceExtendedGSSContext- Parameters:
option- option type.- Returns:
- value option value. Maybe be null.
- Throws:
GSSException- containing the following major error codes:GSSException.FAILURE
-
initDelegation
public byte[] initDelegation(GSSCredential credential, Oid mechanism, int lifetime, byte[] buf, int off, int len) throws GSSException Initiate the delegation of a credential. This function drives the initiating side of the credential delegation process. It is expected to be called in tandem with theacceptDelegationfunction.
The behavior of this function can be modified byGSSConstants.DELEGATION_TYPEandGSSConstants.GSS_MODEcontext options. TheGSSConstants.DELEGATION_TYPEoption controls delegation type to be performed. TheGSSConstants.GSS_MODEoption if set toGSIConstants.MODE_SSLresults in tokens that are not wrapped.- Specified by:
initDelegationin interfaceExtendedGSSContext- Parameters:
credential- The credential to be delegated. May be null in which case the credential associated with the security context is used.mechanism- The desired security mechanism. May be null.lifetime- The requested period of validity (seconds) of the delegated credential.- Returns:
- A token that should be passed to
acceptDelegationifisDelegationFinishedreturns false. May be null. - Throws:
GSSException- containing the following major error codes:GSSException.FAILURE
-
acceptDelegation
Accept a delegated credential. This function drives the accepting side of the credential delegation process. It is expected to be called in tandem with theinitDelegationfunction.
The behavior of this function can be modified byGSSConstants.GSS_MODEcontext option. TheGSSConstants.GSS_MODEoption if set toGSIConstants.MODE_SSLresults in tokens that are not wrapped.- Specified by:
acceptDelegationin interfaceExtendedGSSContext- Parameters:
lifetime- The requested period of validity (seconds) of the delegated credential.- Returns:
- A token that should be passed to
initDelegationifisDelegationFinishedreturns false. May be null. - Throws:
GSSException- containing the following major error codes:GSSException.FAILURE
-
getDelegatedCredential
Description copied from interface:ExtendedGSSContextReturns the delegated credential that was delegated using theinitDelegationandacceptDelegationfunctions. This is to be called on the delegation accepting side once onceisDelegationFinishedreturns true.- Specified by:
getDelegatedCredentialin interfaceExtendedGSSContext- Returns:
- The delegated credential. Might be null if credential delegation is not finished.
-
isDelegationFinished
public boolean isDelegationFinished()Description copied from interface:ExtendedGSSContextUsed during delegation to determine the state of the delegation.- Specified by:
isDelegationFinishedin interfaceExtendedGSSContext- Returns:
- true if delegation was completed, false otherwise.
-
inquireByOid
Retrieves arbitrary data about this context. Currently supported oid:-
GSSConstants.X509_CERT_CHAINreturns certificate chain of the peer (X509Certificate[]).
- Specified by:
inquireByOidin interfaceExtendedGSSContext- Parameters:
oid- the oid of the information desired.- Returns:
- the information desired. Might be null.
- Throws:
GSSException- containing the following major error codes:GSSException.FAILURE
-
-
setBannedCiphers
Description copied from interface:ExtendedGSSContextSpecifies a list of ciphers that will not be used.- Specified by:
setBannedCiphersin interfaceExtendedGSSContext- Parameters:
ciphers- The list of banned ciphers.
-
getWrapSizeLimit
Currently not implemented.- Specified by:
getWrapSizeLimitin interfaceGSSContext- Throws:
GSSException
-
wrap
public void wrap(InputStream inStream, OutputStream outStream, MessageProp msgProp) throws GSSException Currently not implemented.- Specified by:
wrapin interfaceGSSContext- Throws:
GSSException
-
unwrap
public void unwrap(InputStream inStream, OutputStream outStream, MessageProp msgProp) throws GSSException Currently not implemented.- Specified by:
unwrapin interfaceGSSContext- Throws:
GSSException
-
getMIC
public void getMIC(InputStream inStream, OutputStream outStream, MessageProp msgProp) throws GSSException Currently not implemented.- Specified by:
getMICin interfaceGSSContext- Throws:
GSSException
-
verifyMIC
public void verifyMIC(InputStream tokStream, InputStream msgStream, MessageProp msgProp) throws GSSException Currently not implemented.- Specified by:
verifyMICin interfaceGSSContext- Throws:
GSSException
-
setChannelBinding
Currently not implemented.- Specified by:
setChannelBindingin interfaceGSSContext- Throws:
GSSException
-
isTransferable
Currently not implemented.- Specified by:
isTransferablein interfaceGSSContext- Throws:
GSSException
-
export
Currently not implemented.- Specified by:
exportin interfaceGSSContext- Throws:
GSSException
-