|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Objectorg.globus.gsi.gssapi.GlobusGSSContextImpl
public class GlobusGSSContextImpl
Implementation of SSL/GSI mechanism for Java GSS-API. The implementation
is based on the PureTLS library
(for SSL API) and the
BouncyCastle library
(for certificate processing API).
The implementation is not designed to be thread-safe.
Field Summary | |
---|---|
protected Boolean |
acceptNoClientCerts
|
protected boolean |
anonymity
|
protected BouncyCastleCertProcessingFactory |
certFactory
|
protected Boolean |
checkContextExpiration
|
protected COM.claymoresystems.ptls.SSLConn |
conn
|
protected PureTLSContext |
context
|
protected boolean |
credentialDelegation
|
protected GlobusGSSCredentialImpl |
ctxCred
Credential of this context. |
protected ExtendedGSSCredential |
delegatedCred
Credential delegated using delegation API |
protected boolean |
delegationFinished
Delegation finished indicator |
protected int |
delegationState
Delegation state |
protected Integer |
delegationType
|
protected ExtendedGSSCredential |
delegCred
Credential delegated during context establishment |
protected boolean |
encryption
|
protected boolean |
established
|
protected GSSName |
expectedTargetName
Expected target name. |
protected Date |
goodUntil
Context expiration date. |
static int |
GSI_WRAP
Used to distinguish between a token created by wrap with GSSConstants.GSI_BIG
QoP and a regular token created by wrap . |
protected Integer |
gssMode
|
protected TokenInputStream |
in
|
protected KeyPair |
keyPair
Used during delegation |
protected ByteArrayOutputStream |
out
|
protected Boolean |
peerLimited
Limited peer credentials |
protected COM.claymoresystems.sslg.SSLPolicyInt |
policy
|
protected Map |
proxyPolicyHandlers
|
protected Boolean |
rejectLimitedProxy
|
protected Boolean |
requireAuthzWithDelegation
|
protected Boolean |
requireClientAuth
|
protected int |
role
Context role |
protected GSSName |
sourceName
The name of the context initiator |
protected int |
state
Handshake state |
protected GSSName |
targetName
The name of the context acceptor |
protected TrustedCertificates |
tc
|
Fields inherited from interface org.ietf.jgss.GSSContext |
---|
DEFAULT_LIFETIME, INDEFINITE_LIFETIME |
Constructor Summary | |
---|---|
GlobusGSSContextImpl(GSSName target,
GlobusGSSCredentialImpl cred)
|
Method Summary | |
---|---|
byte[] |
acceptDelegation(int lifetime,
byte[] buf,
int off,
int len)
Accept a delegated credential. |
byte[] |
acceptSecContext(byte[] inBuff,
int off,
int len)
This function drives the accepting side of the context establishment process. |
void |
acceptSecContext(InputStream in,
OutputStream out)
It works just like acceptSecContext
method. |
protected void |
checkContext()
|
void |
dispose()
|
byte[] |
export()
Currently not implemented. |
protected byte[] |
generateCertRequest(X509Certificate cert)
|
boolean |
getAnonymityState()
|
boolean |
getConfState()
|
boolean |
getCredDelegState()
|
GSSCredential |
getDelegatedCredential()
Returns the delegated credential that was delegated using the initDelegation and acceptDelegation
functions. |
protected int |
getDelegationType(X509Certificate issuer)
|
GSSCredential |
getDelegCred()
|
boolean |
getIntegState()
|
int |
getLifetime()
|
Oid |
getMech()
|
byte[] |
getMIC(byte[] inBuf,
int off,
int len,
MessageProp prop)
Returns a cryptographic MIC (message integrity check) of a specified message. |
void |
getMIC(InputStream inStream,
OutputStream outStream,
MessageProp msgProp)
Currently not implemented. |
boolean |
getMutualAuthState()
|
Object |
getOption(Oid option)
Gets a context option. |
boolean |
getReplayDetState()
|
boolean |
getSequenceDetState()
|
GSSName |
getSrcName()
|
GSSName |
getTargName()
|
int |
getWrapSizeLimit(int qop,
boolean confReq,
int maxTokenSize)
Currently not implemented. |
byte[] |
initDelegation(GSSCredential credential,
Oid mechanism,
int lifetime,
byte[] buf,
int off,
int len)
Initiate the delegation of a credential. |
byte[] |
initSecContext(byte[] inBuff,
int off,
int len)
This function drives the initiating side of the context establishment process. |
int |
initSecContext(InputStream in,
OutputStream out)
It works just like initSecContext method. |
Object |
inquireByOid(Oid oid)
Retrieves arbitrary data about this context. |
boolean |
isDelegationFinished()
Used during delegation to determine the state of the delegation. |
boolean |
isEstablished()
|
boolean |
isInitiator()
|
boolean |
isProtReady()
|
boolean |
isTransferable()
Currently not implemented. |
void |
requestAnonymity(boolean state)
|
void |
requestConf(boolean state)
|
void |
requestCredDeleg(boolean state)
|
void |
requestInteg(boolean state)
|
void |
requestLifetime(int lifetime)
|
void |
requestMutualAuth(boolean state)
|
void |
requestReplayDet(boolean state)
|
void |
requestSequenceDet(boolean state)
|
protected void |
setAcceptNoClientCerts(Object value)
|
void |
setChannelBinding(ChannelBinding cb)
Currently not implemented. |
protected void |
setCheckContextExpired(Object value)
|
protected void |
setDelegationType(Object value)
|
protected void |
setGrimPolicyHandler(Object value)
|
protected void |
setGssMode(Object value)
|
void |
setOption(Oid option,
Object value)
Sets a context option. |
protected void |
setProxyPolicyHandlers(Object value)
|
protected void |
setRejectLimitedProxy(Object value)
|
protected void |
setRequireAuthzWithDelegation(Object value)
|
protected void |
setRequireClientAuth(Object value)
|
protected void |
setTrustedCertificates(Object value)
|
byte[] |
unwrap(byte[] inBuf,
int off,
int len,
MessageProp prop)
Unwraps a token generated by wrap method on the other side of the context. |
void |
unwrap(InputStream inStream,
OutputStream outStream,
MessageProp msgProp)
Currently not implemented. |
protected void |
verifyDelegatedCert(X509Certificate certificate)
|
void |
verifyMIC(byte[] inTok,
int tokOff,
int tokLen,
byte[] inMsg,
int msgOff,
int msgLen,
MessageProp prop)
Verifies a cryptographic MIC (message integrity check) of a specified message. |
void |
verifyMIC(InputStream tokStream,
InputStream msgStream,
MessageProp msgProp)
Currently not implemented. |
byte[] |
wrap(byte[] inBuf,
int off,
int len,
MessageProp prop)
Wraps a message for integrity and protection. |
void |
wrap(InputStream inStream,
OutputStream outStream,
MessageProp msgProp)
Currently not implemented. |
Methods inherited from class java.lang.Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Field Detail |
---|
public static final int GSI_WRAP
wrap
with GSSConstants.GSI_BIG
QoP and a regular token created by wrap
.
protected int state
protected int delegationState
protected ExtendedGSSCredential delegatedCred
protected boolean delegationFinished
protected boolean credentialDelegation
protected boolean anonymity
protected boolean encryption
protected boolean established
protected GSSName sourceName
protected GSSName targetName
protected int role
protected ExtendedGSSCredential delegCred
protected Integer delegationType
protected Integer gssMode
protected Boolean checkContextExpiration
protected Boolean rejectLimitedProxy
protected Boolean requireClientAuth
protected Boolean acceptNoClientCerts
protected Boolean requireAuthzWithDelegation
protected GlobusGSSCredentialImpl ctxCred
protected GSSName expectedTargetName
protected Date goodUntil
protected COM.claymoresystems.ptls.SSLConn conn
protected PureTLSContext context
protected COM.claymoresystems.sslg.SSLPolicyInt policy
protected TokenInputStream in
protected ByteArrayOutputStream out
protected BouncyCastleCertProcessingFactory certFactory
protected KeyPair keyPair
protected TrustedCertificates tc
protected Map proxyPolicyHandlers
protected Boolean peerLimited
Constructor Detail |
---|
public GlobusGSSContextImpl(GSSName target, GlobusGSSCredentialImpl cred) throws GSSException
target
- expected target name. Can be null.cred
- credential. Cannot be null. Might be anonymous.
GSSException
Method Detail |
---|
public byte[] acceptSecContext(byte[] inBuff, int off, int len) throws GSSException
initSecContext
function.
GSSConstants.GSS_MODE
and GSSConstants.REJECT_LIMITED_PROXY
context options. If the
GSSConstants.GSS_MODE
option is set to
GSIConstants.MODE_SSL
the context establishment process will be compatible with regular SSL
(no credential delegation support). If the option is set to
GSIConstants.MODE_GSI
credential delegation during context establishment process will be accepted.
If the GSSConstants.REJECT_LIMITED_PROXY
option is enabled, a peer
presenting limited proxy credential will be automatically
rejected and the context establishment process will be aborted.
acceptSecContext
in interface GSSContext
GSSException
public byte[] initSecContext(byte[] inBuff, int off, int len) throws GSSException
acceptSecContext
function.
GSSConstants.GSS_MODE
,
GSSConstants.DELEGATION_TYPE
, and
GSSConstants.REJECT_LIMITED_PROXY
context options. If the GSSConstants.GSS_MODE
option is set to GSIConstants.MODE_SSL
the context establishment process will be compatible with regular SSL
(no credential delegation support). If the option is set to
GSIConstants.GSS_MODE_GSI
credential delegation during context establishment process will performed.
The delegation type to be performed can be set using the
GSSConstants.DELEGATION_TYPE
context option. If the GSSConstants.REJECT_LIMITED_PROXY
option is enabled,
a peer presenting limited proxy credential will be automatically
rejected and the context establishment process will be aborted.
initSecContext
in interface GSSContext
GSSException
public byte[] wrap(byte[] inBuf, int off, int len, MessageProp prop) throws GSSException
GSSConstants.GSI_BIG
. Otherwise
a regular SSL-wrapped token is returned.
wrap
in interface GSSContext
GSSException
public byte[] unwrap(byte[] inBuf, int off, int len, MessageProp prop) throws GSSException
wrap
method on the other side of the context.
The input token can either be a regular SSL-wrapped token or GSI-wrapped token.
Upon return from the method the MessageProp
object will contain
the applied QOP and privacy state of the message. In case of GSI-wrapped token
the applied QOP will be set to
GSSConstants.GSI_BIG
unwrap
in interface GSSContext
GSSException
public void dispose() throws GSSException
dispose
in interface GSSContext
GSSException
public boolean isEstablished()
isEstablished
in interface GSSContext
public void requestCredDeleg(boolean state) throws GSSException
requestCredDeleg
in interface GSSContext
GSSException
public boolean getCredDelegState()
getCredDelegState
in interface GSSContext
public boolean isInitiator() throws GSSException
isInitiator
in interface GSSContext
GSSException
public boolean isProtReady()
isProtReady
in interface GSSContext
public void requestLifetime(int lifetime) throws GSSException
requestLifetime
in interface GSSContext
GSSException
public int getLifetime()
getLifetime
in interface GSSContext
public Oid getMech() throws GSSException
getMech
in interface GSSContext
GSSException
public GSSCredential getDelegCred() throws GSSException
getDelegCred
in interface GSSContext
GSSException
public void requestConf(boolean state) throws GSSException
requestConf
in interface GSSContext
GSSException
public boolean getConfState()
getConfState
in interface GSSContext
public byte[] getMIC(byte[] inBuf, int off, int len, MessageProp prop) throws GSSException
getMIC
in interface GSSContext
GSSException
public void verifyMIC(byte[] inTok, int tokOff, int tokLen, byte[] inMsg, int msgOff, int msgLen, MessageProp prop) throws GSSException
verifyMIC
in interface GSSContext
GSSException
public int initSecContext(InputStream in, OutputStream out) throws GSSException
initSecContext
method.
It reads one SSL token from input stream, calls
acceptSecContext
method and
writes the output token to the output stream (if any)
SSL token is not read on the initial call.
initSecContext
in interface GSSContext
GSSException
public void acceptSecContext(InputStream in, OutputStream out) throws GSSException
acceptSecContext
method. It reads one SSL token from input stream, calls
acceptSecContext
method and writes the output token to the output stream (if any)
acceptSecContext
in interface GSSContext
GSSException
public GSSName getSrcName() throws GSSException
getSrcName
in interface GSSContext
GSSException
public GSSName getTargName() throws GSSException
getTargName
in interface GSSContext
GSSException
public void requestInteg(boolean state) throws GSSException
requestInteg
in interface GSSContext
GSSException
public boolean getIntegState()
getIntegState
in interface GSSContext
public void requestSequenceDet(boolean state) throws GSSException
requestSequenceDet
in interface GSSContext
GSSException
public boolean getSequenceDetState()
getSequenceDetState
in interface GSSContext
public void requestReplayDet(boolean state) throws GSSException
requestReplayDet
in interface GSSContext
GSSException
public boolean getReplayDetState()
getReplayDetState
in interface GSSContext
public void requestAnonymity(boolean state) throws GSSException
requestAnonymity
in interface GSSContext
GSSException
public boolean getAnonymityState()
getAnonymityState
in interface GSSContext
public void requestMutualAuth(boolean state) throws GSSException
requestMutualAuth
in interface GSSContext
GSSException
public boolean getMutualAuthState()
getMutualAuthState
in interface GSSContext
protected byte[] generateCertRequest(X509Certificate cert) throws GeneralSecurityException
GeneralSecurityException
protected void verifyDelegatedCert(X509Certificate certificate) throws GeneralSecurityException
GeneralSecurityException
protected void checkContext() throws GSSException
GSSException
protected int getDelegationType(X509Certificate issuer) throws GeneralSecurityException, GSSException
GeneralSecurityException
GSSException
protected void setGssMode(Object value) throws GSSException
GSSException
protected void setDelegationType(Object value) throws GSSException
GSSException
protected void setCheckContextExpired(Object value) throws GSSException
GSSException
protected void setRejectLimitedProxy(Object value) throws GSSException
GSSException
protected void setRequireClientAuth(Object value) throws GSSException
GSSException
protected void setRequireAuthzWithDelegation(Object value) throws GSSException
GSSException
protected void setAcceptNoClientCerts(Object value) throws GSSException
GSSException
protected void setGrimPolicyHandler(Object value) throws GSSException
GSSException
protected void setProxyPolicyHandlers(Object value) throws GSSException
GSSException
protected void setTrustedCertificates(Object value) throws GSSException
GSSException
public void setOption(Oid option, Object value) throws GSSException
ExtendedGSSContext
setOption
in interface ExtendedGSSContext
option
- option type.value
- option value.
GSSException
- containing the following major error codes:
GSSException.FAILURE
public Object getOption(Oid option) throws GSSException
ExtendedGSSContext
getOption
in interface ExtendedGSSContext
option
- option type.
GSSException
- containing the following major error codes:
GSSException.FAILURE
public byte[] initDelegation(GSSCredential credential, Oid mechanism, int lifetime, byte[] buf, int off, int len) throws GSSException
acceptDelegation
function.
GSSConstants.DELEGATION_TYPE
and
GSSConstants.GSS_MODE
context
options.
The GSSConstants.DELEGATION_TYPE
option controls delegation type to be performed. The
GSSConstants.GSS_MODE
option if set to
GSIConstants.MODE_SSL
results in tokens that are not wrapped.
initDelegation
in interface ExtendedGSSContext
credential
- The credential to be delegated. May be null
in which case the credential associated with the security
context is used.mechanism
- The desired security mechanism. May be null.lifetime
- The requested period of validity (seconds) of the delegated
credential.
acceptDelegation
if
isDelegationFinished
returns false. May be null.
GSSException
- containing the following major error codes:
GSSException.FAILURE
public byte[] acceptDelegation(int lifetime, byte[] buf, int off, int len) throws GSSException
initDelegation
function.
GSSConstants.GSS_MODE
context
option. The
GSSConstants.GSS_MODE
option if set to
GSIConstants.MODE_SSL
results in tokens that are not wrapped.
acceptDelegation
in interface ExtendedGSSContext
lifetime
- The requested period of validity (seconds) of the delegated
credential.
initDelegation
if
isDelegationFinished
returns false. May be null.
GSSException
- containing the following major error codes:
GSSException.FAILURE
public GSSCredential getDelegatedCredential()
ExtendedGSSContext
initDelegation
and acceptDelegation
functions. This is to be called on the delegation accepting
side once once isDelegationFinished
returns true.
getDelegatedCredential
in interface ExtendedGSSContext
public boolean isDelegationFinished()
ExtendedGSSContext
isDelegationFinished
in interface ExtendedGSSContext
public Object inquireByOid(Oid oid) throws GSSException
GSSConstants.X509_CERT_CHAIN
returns certificate chain of the peer (X509Certificate[]
).
inquireByOid
in interface ExtendedGSSContext
oid
- the oid of the information desired.
GSSException
- containing the following major error codes:
GSSException.FAILURE
public int getWrapSizeLimit(int qop, boolean confReq, int maxTokenSize) throws GSSException
getWrapSizeLimit
in interface GSSContext
GSSException
public void wrap(InputStream inStream, OutputStream outStream, MessageProp msgProp) throws GSSException
wrap
in interface GSSContext
GSSException
public void unwrap(InputStream inStream, OutputStream outStream, MessageProp msgProp) throws GSSException
unwrap
in interface GSSContext
GSSException
public void getMIC(InputStream inStream, OutputStream outStream, MessageProp msgProp) throws GSSException
getMIC
in interface GSSContext
GSSException
public void verifyMIC(InputStream tokStream, InputStream msgStream, MessageProp msgProp) throws GSSException
verifyMIC
in interface GSSContext
GSSException
public void setChannelBinding(ChannelBinding cb) throws GSSException
setChannelBinding
in interface GSSContext
GSSException
public boolean isTransferable() throws GSSException
isTransferable
in interface GSSContext
GSSException
public byte[] export() throws GSSException
export
in interface GSSContext
GSSException
|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |