Package org.globus.gsi.gssapi
Class GlobusGSSContextImpl
java.lang.Object
org.globus.gsi.gssapi.GlobusGSSContextImpl
- All Implemented Interfaces:
ExtendedGSSContext,GSSContext
Implementation of SSL/GSI mechanism for Java GSS-API. The implementation
is based on JSSE (for SSL API) and the
BouncyCastle library
(for certificate processing API).
The implementation is not designed to be thread-safe.
The implementation is not designed to be thread-safe.
-
Field Summary
FieldsModifier and TypeFieldDescriptionprotected Booleanprotected booleanprotected BouncyCastleCertProcessingFactoryprotected Booleanprotected booleanprotected booleanprotected GlobusGSSCredentialImplCredential of this context.protected ExtendedGSSCredentialCredential delegated using delegation APIprotected booleanDelegation finished indicatorprotected intDelegation stateprotected GSIConstants.DelegationTypeprotected ExtendedGSSCredentialCredential delegated during context establishmentprotected booleanprotected booleanprotected GSSNameExpected target name.protected DateContext expiration date.static final intUsed to distinguish between a token created bywrapwithGSSConstants.GSI_BIGQoP and a regular token created bywrap.protected Integerprotected KeyPairUsed during delegationprotected BooleanLimited peer credentialsprotected Mapprotected Booleanprotected Booleanprotected Booleanprotected intContext roleprotected GSSNameThe name of the context initiatorprotected SSLConfiguratorprotected SSLContextprotected SSLEngineprotected intHandshake stateprotected GSSNameThe name of the context acceptorprotected TrustedCertificatesFields inherited from interface org.ietf.jgss.GSSContext
DEFAULT_LIFETIME, INDEFINITE_LIFETIME -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionbyte[]acceptDelegation(int lifetime, byte[] buf, int off, int len) Accept a delegated credential.byte[]acceptSecContext(byte[] inBuff, int off, int len) This function drives the accepting side of the context establishment process.voidacceptSecContext(InputStream in, OutputStream out) It works just likeacceptSecContextmethod.protected voidvoiddispose()byte[]export()Currently not implemented.protected byte[]booleanbooleanbooleanReturns the delegated credential that was delegated using theinitDelegationandacceptDelegationfunctions.booleanintgetMech()byte[]getMIC(byte[] inBuf, int off, int len, MessageProp prop) Returns a cryptographic MIC (message integrity check) of a specified message.voidgetMIC(InputStream inStream, OutputStream outStream, MessageProp msgProp) Currently not implemented.booleanGets a context option.booleanbooleanintgetWrapSizeLimit(int qop, boolean confReq, int maxTokenSize) Currently not implemented.byte[]initDelegation(GSSCredential credential, Oid mechanism, int lifetime, byte[] buf, int off, int len) Initiate the delegation of a credential.byte[]initSecContext(byte[] inBuff, int off, int len) This function drives the initiating side of the context establishment process.intinitSecContext(InputStream in, OutputStream out) It works just likeinitSecContextmethod.inquireByOid(Oid oid) Retrieves arbitrary data about this context.booleanUsed during delegation to determine the state of the delegation.booleanbooleanbooleanbooleanCurrently not implemented.voidrequestAnonymity(boolean state) voidrequestConf(boolean state) voidrequestCredDeleg(boolean state) voidrequestInteg(boolean state) voidrequestLifetime(int lifetime) voidrequestMutualAuth(boolean state) voidrequestReplayDet(boolean state) voidrequestSequenceDet(boolean state) protected voidsetAcceptNoClientCerts(Object value) voidsetBannedCiphers(String[] ciphers) Specifies a list of ciphers that will not be used.voidCurrently not implemented.protected voidsetCheckContextExpired(Object value) protected voidsetDelegationType(Object value) protected voidsetGssMode(Object value) voidSets a context option.protected voidsetProxyPolicyHandlers(Object value) protected voidsetRejectLimitedProxy(Object value) protected voidprotected voidsetRequireClientAuth(Object value) protected voidsetTrustedCertificates(Object value) byte[]unwrap(byte[] inBuf, int off, int len, MessageProp prop) Unwraps a token generated bywrapmethod on the other side of the context.voidunwrap(InputStream inStream, OutputStream outStream, MessageProp msgProp) Currently not implemented.protected voidverifyDelegatedCert(X509Certificate certificate) voidverifyMIC(byte[] inTok, int tokOff, int tokLen, byte[] inMsg, int msgOff, int msgLen, MessageProp prop) Verifies a cryptographic MIC (message integrity check) of a specified message.voidverifyMIC(InputStream tokStream, InputStream msgStream, MessageProp msgProp) Currently not implemented.byte[]wrap(byte[] inBuf, int off, int len, MessageProp prop) Wraps a message for integrity and protection.voidwrap(InputStream inStream, OutputStream outStream, MessageProp msgProp) Currently not implemented.
-
Field Details
-
GSI_WRAP
public static final int GSI_WRAPUsed to distinguish between a token created bywrapwithGSSConstants.GSI_BIGQoP and a regular token created bywrap.- See Also:
-
state
protected int stateHandshake state -
delegationState
protected int delegationStateDelegation state -
delegatedCred
Credential delegated using delegation API -
delegationFinished
protected boolean delegationFinishedDelegation finished indicator -
credentialDelegation
protected boolean credentialDelegation -
anonymity
protected boolean anonymity -
encryption
protected boolean encryption -
established
protected boolean established -
sourceName
The name of the context initiator -
targetName
The name of the context acceptor -
role
protected int roleContext role -
delegCred
Credential delegated during context establishment -
delegationType
-
gssMode
-
checkContextExpiration
-
rejectLimitedProxy
-
requireClientAuth
-
acceptNoClientCerts
-
requireAuthzWithDelegation
-
ctxCred
Credential of this context. Might be anonymous -
expectedTargetName
Expected target name. Used for authorization in initiator -
goodUntil
Context expiration date. -
sslConfigurator
-
sslContext
-
sslEngine
-
conn
protected boolean conn -
certFactory
-
keyPair
Used during delegation -
tc
-
proxyPolicyHandlers
-
peerLimited
Limited peer credentials
-
-
Constructor Details
-
GlobusGSSContextImpl
- Parameters:
target- expected target name. Can be null.cred- credential. Cannot be null. Might be anonymous.- Throws:
GSSException
-
-
Method Details
-
acceptSecContext
This function drives the accepting side of the context establishment process. It is expected to be called in tandem with theinitSecContextfunction.
The behavior of context establishment process can be modified byGSSConstants.GSS_MODEandGSSConstants.REJECT_LIMITED_PROXYcontext options. If theGSSConstants.GSS_MODEoption is set toGSIConstants.MODE_SSLthe context establishment process will be compatible with regular SSL (no credential delegation support). If the option is set toGSIConstants.MODE_GSIcredential delegation during context establishment process will be accepted. If theGSSConstants.REJECT_LIMITED_PROXYoption is enabled, a peer presenting limited proxy credential will be automatically rejected and the context establishment process will be aborted.- Specified by:
acceptSecContextin interfaceGSSContext- Returns:
- a byte[] containing the token to be sent to the peer. null indicates that no token is generated (needs more data)
- Throws:
GSSException
-
initSecContext
This function drives the initiating side of the context establishment process. It is expected to be called in tandem with theacceptSecContextfunction.
The behavior of context establishment process can be modified byGSSConstants.GSS_MODE,GSSConstants.DELEGATION_TYPE, andGSSConstants.REJECT_LIMITED_PROXYcontext options. If theGSSConstants.GSS_MODEoption is set toGSIConstants.MODE_SSLthe context establishment process will be compatible with regular SSL (no credential delegation support). If the option is set toGSIConstants.GSS_MODE_GSIcredential delegation during context establishment process will performed. The delegation type to be performed can be set using theGSSConstants.DELEGATION_TYPEcontext option. If theGSSConstants.REJECT_LIMITED_PROXYoption is enabled, a peer presenting limited proxy credential will be automatically rejected and the context establishment process will be aborted.- Specified by:
initSecContextin interfaceGSSContext- Returns:
- a byte[] containing the token to be sent to the peer. null indicates that no token is generated (needs more data).
- Throws:
GSSException
-
wrap
Wraps a message for integrity and protection. A regular SSL-wrapped token is returned.- Specified by:
wrapin interfaceGSSContext- Throws:
GSSException
-
unwrap
Unwraps a token generated bywrapmethod on the other side of the context.- Specified by:
unwrapin interfaceGSSContext- Throws:
GSSException
-
dispose
- Specified by:
disposein interfaceGSSContext- Throws:
GSSException
-
isEstablished
public boolean isEstablished()- Specified by:
isEstablishedin interfaceGSSContext
-
requestCredDeleg
- Specified by:
requestCredDelegin interfaceGSSContext- Throws:
GSSException
-
getCredDelegState
public boolean getCredDelegState()- Specified by:
getCredDelegStatein interfaceGSSContext
-
isInitiator
- Specified by:
isInitiatorin interfaceGSSContext- Throws:
GSSException
-
isProtReady
public boolean isProtReady()- Specified by:
isProtReadyin interfaceGSSContext
-
requestLifetime
- Specified by:
requestLifetimein interfaceGSSContext- Throws:
GSSException
-
getLifetime
public int getLifetime()- Specified by:
getLifetimein interfaceGSSContext
-
getMech
- Specified by:
getMechin interfaceGSSContext- Throws:
GSSException
-
getDelegCred
- Specified by:
getDelegCredin interfaceGSSContext- Throws:
GSSException
-
requestConf
- Specified by:
requestConfin interfaceGSSContext- Throws:
GSSException
-
getConfState
public boolean getConfState()- Specified by:
getConfStatein interfaceGSSContext
-
getMIC
Returns a cryptographic MIC (message integrity check) of a specified message.- Specified by:
getMICin interfaceGSSContext- Throws:
GSSException
-
verifyMIC
public void verifyMIC(byte[] inTok, int tokOff, int tokLen, byte[] inMsg, int msgOff, int msgLen, MessageProp prop) throws GSSException Verifies a cryptographic MIC (message integrity check) of a specified message.- Specified by:
verifyMICin interfaceGSSContext- Throws:
GSSException
-
initSecContext
It works just likeinitSecContextmethod. It reads one SSL token from input stream, callsinitSecContextmethod and writes the output token to the output stream (if any) SSL token is not read on the initial call.- Specified by:
initSecContextin interfaceGSSContext- Throws:
GSSException
-
acceptSecContext
It works just likeacceptSecContextmethod. It reads one SSL token from input stream, callsacceptSecContextmethod and writes the output token to the output stream (if any)- Specified by:
acceptSecContextin interfaceGSSContext- Throws:
GSSException
-
getSrcName
- Specified by:
getSrcNamein interfaceGSSContext- Throws:
GSSException
-
getTargName
- Specified by:
getTargNamein interfaceGSSContext- Throws:
GSSException
-
requestInteg
- Specified by:
requestIntegin interfaceGSSContext- Throws:
GSSException
-
getIntegState
public boolean getIntegState()- Specified by:
getIntegStatein interfaceGSSContext
-
requestSequenceDet
- Specified by:
requestSequenceDetin interfaceGSSContext- Throws:
GSSException
-
getSequenceDetState
public boolean getSequenceDetState()- Specified by:
getSequenceDetStatein interfaceGSSContext
-
requestReplayDet
- Specified by:
requestReplayDetin interfaceGSSContext- Throws:
GSSException
-
getReplayDetState
public boolean getReplayDetState()- Specified by:
getReplayDetStatein interfaceGSSContext
-
requestAnonymity
- Specified by:
requestAnonymityin interfaceGSSContext- Throws:
GSSException
-
getAnonymityState
public boolean getAnonymityState()- Specified by:
getAnonymityStatein interfaceGSSContext
-
requestMutualAuth
- Specified by:
requestMutualAuthin interfaceGSSContext- Throws:
GSSException
-
getMutualAuthState
public boolean getMutualAuthState()- Specified by:
getMutualAuthStatein interfaceGSSContext
-
generateCertRequest
- Throws:
GeneralSecurityException
-
verifyDelegatedCert
- Throws:
GeneralSecurityException
-
checkContext
- Throws:
GSSException
-
setGssMode
- Throws:
GSSException
-
setDelegationType
- Throws:
GSSException
-
setCheckContextExpired
- Throws:
GSSException
-
setRejectLimitedProxy
- Throws:
GSSException
-
setRequireClientAuth
- Throws:
GSSException
-
setRequireAuthzWithDelegation
- Throws:
GSSException
-
setAcceptNoClientCerts
- Throws:
GSSException
-
setProxyPolicyHandlers
- Throws:
GSSException
-
setTrustedCertificates
- Throws:
GSSException
-
setOption
Description copied from interface:ExtendedGSSContextSets a context option. It can be called by context initiator or acceptor but prior to the first call to initSecContext, acceptSecContext, initDelegation or acceptDelegation.- Specified by:
setOptionin interfaceExtendedGSSContext- Parameters:
option- option type.value- option value.- Throws:
GSSException- containing the following major error codes:GSSException.FAILURE
-
getOption
Description copied from interface:ExtendedGSSContextGets a context option. It can be called by context initiator or acceptor.- Specified by:
getOptionin interfaceExtendedGSSContext- Parameters:
option- option type.- Returns:
- value option value. Maybe be null.
- Throws:
GSSException- containing the following major error codes:GSSException.FAILURE
-
initDelegation
public byte[] initDelegation(GSSCredential credential, Oid mechanism, int lifetime, byte[] buf, int off, int len) throws GSSException Initiate the delegation of a credential. This function drives the initiating side of the credential delegation process. It is expected to be called in tandem with theacceptDelegationfunction.
The behavior of this function can be modified byGSSConstants.DELEGATION_TYPEandGSSConstants.GSS_MODEcontext options. TheGSSConstants.DELEGATION_TYPEoption controls delegation type to be performed. TheGSSConstants.GSS_MODEoption if set toGSIConstants.MODE_SSLresults in tokens that are not wrapped.- Specified by:
initDelegationin interfaceExtendedGSSContext- Parameters:
credential- The credential to be delegated. May be null in which case the credential associated with the security context is used.mechanism- The desired security mechanism. May be null.lifetime- The requested period of validity (seconds) of the delegated credential.- Returns:
- A token that should be passed to
acceptDelegationifisDelegationFinishedreturns false. May be null. - Throws:
GSSException- containing the following major error codes:GSSException.FAILURE
-
acceptDelegation
Accept a delegated credential. This function drives the accepting side of the credential delegation process. It is expected to be called in tandem with theinitDelegationfunction.
The behavior of this function can be modified byGSSConstants.GSS_MODEcontext option. TheGSSConstants.GSS_MODEoption if set toGSIConstants.MODE_SSLresults in tokens that are not wrapped.- Specified by:
acceptDelegationin interfaceExtendedGSSContext- Parameters:
lifetime- The requested period of validity (seconds) of the delegated credential.- Returns:
- A token that should be passed to
initDelegationifisDelegationFinishedreturns false. May be null. - Throws:
GSSException- containing the following major error codes:GSSException.FAILURE
-
getDelegatedCredential
Description copied from interface:ExtendedGSSContextReturns the delegated credential that was delegated using theinitDelegationandacceptDelegationfunctions. This is to be called on the delegation accepting side once onceisDelegationFinishedreturns true.- Specified by:
getDelegatedCredentialin interfaceExtendedGSSContext- Returns:
- The delegated credential. Might be null if credential delegation is not finished.
-
isDelegationFinished
public boolean isDelegationFinished()Description copied from interface:ExtendedGSSContextUsed during delegation to determine the state of the delegation.- Specified by:
isDelegationFinishedin interfaceExtendedGSSContext- Returns:
- true if delegation was completed, false otherwise.
-
inquireByOid
Retrieves arbitrary data about this context. Currently supported oid:-
GSSConstants.X509_CERT_CHAINreturns certificate chain of the peer (X509Certificate[]).
- Specified by:
inquireByOidin interfaceExtendedGSSContext- Parameters:
oid- the oid of the information desired.- Returns:
- the information desired. Might be null.
- Throws:
GSSException- containing the following major error codes:GSSException.FAILURE
-
-
setBannedCiphers
Description copied from interface:ExtendedGSSContextSpecifies a list of ciphers that will not be used.- Specified by:
setBannedCiphersin interfaceExtendedGSSContext- Parameters:
ciphers- The list of banned ciphers.
-
getWrapSizeLimit
Currently not implemented.- Specified by:
getWrapSizeLimitin interfaceGSSContext- Throws:
GSSException
-
wrap
public void wrap(InputStream inStream, OutputStream outStream, MessageProp msgProp) throws GSSException Currently not implemented.- Specified by:
wrapin interfaceGSSContext- Throws:
GSSException
-
unwrap
public void unwrap(InputStream inStream, OutputStream outStream, MessageProp msgProp) throws GSSException Currently not implemented.- Specified by:
unwrapin interfaceGSSContext- Throws:
GSSException
-
getMIC
public void getMIC(InputStream inStream, OutputStream outStream, MessageProp msgProp) throws GSSException Currently not implemented.- Specified by:
getMICin interfaceGSSContext- Throws:
GSSException
-
verifyMIC
public void verifyMIC(InputStream tokStream, InputStream msgStream, MessageProp msgProp) throws GSSException Currently not implemented.- Specified by:
verifyMICin interfaceGSSContext- Throws:
GSSException
-
setChannelBinding
Currently not implemented.- Specified by:
setChannelBindingin interfaceGSSContext- Throws:
GSSException
-
isTransferable
Currently not implemented.- Specified by:
isTransferablein interfaceGSSContext- Throws:
GSSException
-
export
Currently not implemented.- Specified by:
exportin interfaceGSSContext- Throws:
GSSException
-