org.globus.gsi.gssapi
Class GlobusGSSContextImpl

java.lang.Object
  org.globus.gsi.gssapi.GlobusGSSContextImpl

All Implemented Interfaces:

ExtendedGSSContext, GSSContext

public class GlobusGSSContextImpl

extends Object

implements ExtendedGSSContext

Implementation of SSL/GSI mechanism for Java GSS-API. The implementation is based on the PureTLS library (for SSL API) and the BouncyCastle library (for certificate processing API).
The implementation is not designed to be thread-safe.

Field Summary

protected Boolean	acceptNoClientCerts
protected boolean	anonymity
protected BouncyCastleCertProcessingFactory	certFactory
protected Boolean	checkContextExpiration
protected COM.claymoresystems.ptls.SSLConn	conn
protected PureTLSContext	context
protected boolean	credentialDelegation
protected GlobusGSSCredentialImpl	ctxCred Credential of this context.
protected ExtendedGSSCredential	delegatedCred Credential delegated using delegation API
protected boolean	delegationFinished Delegation finished indicator
protected int	delegationState Delegation state
protected Integer	delegationType
protected ExtendedGSSCredential	delegCred Credential delegated during context establishment
protected boolean	encryption
protected boolean	established
protected GSSName	expectedTargetName Expected target name.
protected Date	goodUntil Context expiration date.
static int	GSI_WRAP Used to distinguish between a token created by wrap with GSSConstants.GSI_BIG QoP and a regular token created by wrap.
protected Integer	gssMode
protected TokenInputStream	in
protected KeyPair	keyPair Used during delegation
protected ByteArrayOutputStream	out
protected Boolean	peerLimited Limited peer credentials
protected COM.claymoresystems.sslg.SSLPolicyInt	policy
protected Map	proxyPolicyHandlers
protected Boolean	rejectLimitedProxy
protected Boolean	requireClientAuth
protected int	role Context role
protected GSSName	sourceName The name of the context initiator
protected int	state Handshake state
protected GSSName	targetName The name of the context acceptor
protected TrustedCertificates	tc

Fields inherited from interface org.ietf.jgss.GSSContext

DEFAULT_LIFETIME, INDEFINITE_LIFETIME

Constructor Summary

GlobusGSSContextImpl(GSSName target, GlobusGSSCredentialImpl cred)

Method Summary

byte[]	acceptDelegation(int lifetime, byte[] buf, int off, int len) Accept a delegated credential.
byte[]	acceptSecContext(byte[] inBuff, int off, int len) This function drives the accepting side of the context establishment process.
void	acceptSecContext(InputStream in, OutputStream out) It works just like acceptSecContext method.
protected void	checkContext()
void	dispose()
byte[]	export() Currently not implemented.
protected byte[]	generateCertRequest(X509Certificate cert)
boolean	getAnonymityState()
boolean	getConfState()
boolean	getCredDelegState()
GSSCredential	getDelegatedCredential() Returns the delegated credential that was delegated using the initDelegation and acceptDelegation functions.
protected int	getDelegationType(X509Certificate issuer)
GSSCredential	getDelegCred()
boolean	getIntegState()
int	getLifetime()
Oid	getMech()
byte[]	getMIC(byte[] inBuf, int off, int len, MessageProp prop) Returns a cryptographic MIC (message integrity check) of a specified message.
void	getMIC(InputStream inStream, OutputStream outStream, MessageProp msgProp) Currently not implemented.
boolean	getMutualAuthState()
Object	getOption(Oid option) Gets a context option.
boolean	getReplayDetState()
boolean	getSequenceDetState()
GSSName	getSrcName()
GSSName	getTargName()
int	getWrapSizeLimit(int qop, boolean confReq, int maxTokenSize) Currently not implemented.
byte[]	initDelegation(GSSCredential credential, Oid mechanism, int lifetime, byte[] buf, int off, int len) Initiate the delegation of a credential.
byte[]	initSecContext(byte[] inBuff, int off, int len) This function drives the initiating side of the context establishment process.
int	initSecContext(InputStream in, OutputStream out) It works just like initSecContext method.
Object	inquireByOid(Oid oid) Retrieves arbitrary data about this context.
boolean	isDelegationFinished() Used during delegation to determine the state of the delegation.
boolean	isEstablished()
boolean	isInitiator()
boolean	isProtReady()
boolean	isTransferable() Currently not implemented.
void	requestAnonymity(boolean state)
void	requestConf(boolean state)
void	requestCredDeleg(boolean state)
void	requestInteg(boolean state)
void	requestLifetime(int lifetime)
void	requestMutualAuth(boolean state)
void	requestReplayDet(boolean state)
void	requestSequenceDet(boolean state)
protected void	setAcceptNoClientCerts(Object value)
void	setChannelBinding(ChannelBinding cb) Currently not implemented.
protected void	setCheckContextExpired(Object value)
protected void	setDelegationType(Object value)
protected void	setGrimPolicyHandler(Object value)
protected void	setGssMode(Object value)
void	setOption(Oid option, Object value) Sets a context option.
protected void	setProxyPolicyHandlers(Object value)
protected void	setRejectLimitedProxy(Object value)
protected void	setRequireClientAuth(Object value)
protected void	setTrustedCertificates(Object value)
byte[]	unwrap(byte[] inBuf, int off, int len, MessageProp prop) Unwraps a token generated by wrap method on the other side of the context.
void	unwrap(InputStream inStream, OutputStream outStream, MessageProp msgProp) Currently not implemented.
protected void	verifyDelegatedCert(X509Certificate certificate)
void	verifyMIC(byte[] inTok, int tokOff, int tokLen, byte[] inMsg, int msgOff, int msgLen, MessageProp prop) Verifies a cryptographic MIC (message integrity check) of a specified message.
void	verifyMIC(InputStream tokStream, InputStream msgStream, MessageProp msgProp) Currently not implemented.
byte[]	wrap(byte[] inBuf, int off, int len, MessageProp prop) Wraps a message for integrity and protection.
void	wrap(InputStream inStream, OutputStream outStream, MessageProp msgProp) Currently not implemented.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

GSI_WRAP

public static final int GSI_WRAP

Used to distinguish between a token created by wrap with GSSConstants.GSI_BIG QoP and a regular token created by wrap.

See Also:

Constant Field Values

state

protected int state

Handshake state

delegationState

protected int delegationState

Delegation state

delegatedCred

protected ExtendedGSSCredential delegatedCred

Credential delegated using delegation API

delegationFinished

protected boolean delegationFinished

Delegation finished indicator

credentialDelegation

protected boolean credentialDelegation

anonymity

protected boolean anonymity

encryption

protected boolean encryption

established

protected boolean established

sourceName

protected GSSName sourceName

The name of the context initiator

targetName

protected GSSName targetName

The name of the context acceptor

role

protected int role

Context role

delegCred

protected ExtendedGSSCredential delegCred

Credential delegated during context establishment

delegationType

protected Integer delegationType

gssMode

protected Integer gssMode

checkContextExpiration

protected Boolean checkContextExpiration

rejectLimitedProxy

protected Boolean rejectLimitedProxy

requireClientAuth

protected Boolean requireClientAuth

acceptNoClientCerts

protected Boolean acceptNoClientCerts

ctxCred

protected GlobusGSSCredentialImpl ctxCred

Credential of this context. Might be anonymous

expectedTargetName

protected GSSName expectedTargetName

Expected target name. Used for authorization in initiator

goodUntil

protected Date goodUntil

Context expiration date.

conn

protected COM.claymoresystems.ptls.SSLConn conn

context

protected PureTLSContext context

policy

protected COM.claymoresystems.sslg.SSLPolicyInt policy

in

protected TokenInputStream in

out

protected ByteArrayOutputStream out

certFactory

protected BouncyCastleCertProcessingFactory certFactory

keyPair

protected KeyPair keyPair

Used during delegation

tc

protected TrustedCertificates tc

proxyPolicyHandlers

protected Map proxyPolicyHandlers

peerLimited

protected Boolean peerLimited

Limited peer credentials

Constructor Detail

GlobusGSSContextImpl

public GlobusGSSContextImpl(GSSName target,
                            GlobusGSSCredentialImpl cred)
                     throws GSSException

Parameters:

target - expected target name. Can be null.

cred - credential. Cannot be null. Might be anonymous.

Method Detail

acceptSecContext

public byte[] acceptSecContext(byte[] inBuff,
                               int off,
                               int len)
                        throws GSSException

This function drives the accepting side of the context establishment process. It is expected to be called in tandem with the initSecContext function.
The behavior of context establishment process can be modified by GSSConstants.GSS_MODE and GSSConstants.REJECT_LIMITED_PROXY context options. If the GSSConstants.GSS_MODE option is set to GSIConstants.MODE_SSL the context establishment process will be compatible with regular SSL (no credential delegation support). If the option is set to GSIConstants.MODE_GSI credential delegation during context establishment process will be accepted. If the GSSConstants.REJECT_LIMITED_PROXY option is enabled, a peer presenting limited proxy credential will be automatically rejected and the context establishment process will be aborted.

Specified by:

acceptSecContext in interface GSSContext

Returns:

a byte[] containing the token to be sent to the peer. null indicates that no token is generated (needs more data)

Throws:

GSSException

initSecContext

public byte[] initSecContext(byte[] inBuff,
                             int off,
                             int len)
                      throws GSSException

This function drives the initiating side of the context establishment process. It is expected to be called in tandem with the acceptSecContext function.
The behavior of context establishment process can be modified by GSSConstants.GSS_MODE, GSSConstants.DELEGATION_TYPE, and GSSConstants.REJECT_LIMITED_PROXY context options. If the GSSConstants.GSS_MODE option is set to GSIConstants.MODE_SSL the context establishment process will be compatible with regular SSL (no credential delegation support). If the option is set to GSIConstants.GSS_MODE_GSI credential delegation during context establishment process will performed. The delegation type to be performed can be set using the GSSConstants.DELEGATION_TYPE context option. If the GSSConstants.REJECT_LIMITED_PROXY option is enabled, a peer presenting limited proxy credential will be automatically rejected and the context establishment process will be aborted.

Specified by:

initSecContext in interface GSSContext

Returns:

a byte[] containing the token to be sent to the peer. null indicates that no token is generated (needs more data).

Throws:

GSSException

wrap

public byte[] wrap(byte[] inBuf,
                   int off,
                   int len,
                   MessageProp prop)
            throws GSSException

Wraps a message for integrity and protection. Returns a GSI-wrapped token when privacy is not requested and QOP requested is set to GSSConstants.GSI_BIG. Otherwise a regular SSL-wrapped token is returned.

Specified by:

wrap in interface GSSContext

Throws:

GSSException

unwrap

public byte[] unwrap(byte[] inBuf,
                     int off,
                     int len,
                     MessageProp prop)
              throws GSSException

Unwraps a token generated by wrap method on the other side of the context. The input token can either be a regular SSL-wrapped token or GSI-wrapped token. Upon return from the method the MessageProp object will contain the applied QOP and privacy state of the message. In case of GSI-wrapped token the applied QOP will be set to GSSConstants.GSI_BIG

Specified by:

unwrap in interface GSSContext

Throws:

GSSException

dispose

public void dispose()
             throws GSSException

Specified by:

dispose in interface GSSContext

Throws:

GSSException

isEstablished

public boolean isEstablished()

Specified by:

isEstablished in interface GSSContext

requestCredDeleg

public void requestCredDeleg(boolean state)
                      throws GSSException

Specified by:

requestCredDeleg in interface GSSContext

Throws:

GSSException

getCredDelegState

public boolean getCredDelegState()

Specified by:

getCredDelegState in interface GSSContext

isInitiator

public boolean isInitiator()
                    throws GSSException

Specified by:

isInitiator in interface GSSContext

Throws:

GSSException

isProtReady

public boolean isProtReady()

Specified by:

isProtReady in interface GSSContext

requestLifetime

public void requestLifetime(int lifetime)
                     throws GSSException

Specified by:

requestLifetime in interface GSSContext

Throws:

GSSException

getLifetime

public int getLifetime()

Specified by:

getLifetime in interface GSSContext

getMech

public Oid getMech()
            throws GSSException

Specified by:

getMech in interface GSSContext

Throws:

GSSException

getDelegCred

public GSSCredential getDelegCred()
                           throws GSSException

Specified by:

getDelegCred in interface GSSContext

Throws:

GSSException

requestConf

public void requestConf(boolean state)
                 throws GSSException

Specified by:

requestConf in interface GSSContext

Throws:

GSSException

getConfState

public boolean getConfState()

Specified by:

getConfState in interface GSSContext

getMIC

public byte[] getMIC(byte[] inBuf,
                     int off,
                     int len,
                     MessageProp prop)
              throws GSSException

Returns a cryptographic MIC (message integrity check) of a specified message.

Specified by:

getMIC in interface GSSContext

Throws:

GSSException

verifyMIC

public void verifyMIC(byte[] inTok,
                      int tokOff,
                      int tokLen,
                      byte[] inMsg,
                      int msgOff,
                      int msgLen,
                      MessageProp prop)
               throws GSSException

Verifies a cryptographic MIC (message integrity check) of a specified message.

Specified by:

verifyMIC in interface GSSContext

Throws:

GSSException

initSecContext

public int initSecContext(InputStream in,
                          OutputStream out)
                   throws GSSException

It works just like initSecContext method. It reads one SSL token from input stream, calls acceptSecContext method and writes the output token to the output stream (if any) SSL token is not read on the initial call.

Specified by:

initSecContext in interface GSSContext

Throws:

GSSException

acceptSecContext

public void acceptSecContext(InputStream in,
                             OutputStream out)
                      throws GSSException

It works just like acceptSecContext method. It reads one SSL token from input stream, calls acceptSecContext method and writes the output token to the output stream (if any)

Specified by:

acceptSecContext in interface GSSContext

Throws:

GSSException

getSrcName

public GSSName getSrcName()
                   throws GSSException

Specified by:

getSrcName in interface GSSContext

Throws:

GSSException

getTargName

public GSSName getTargName()
                    throws GSSException

Specified by:

getTargName in interface GSSContext

Throws:

GSSException

requestInteg

public void requestInteg(boolean state)
                  throws GSSException

Specified by:

requestInteg in interface GSSContext

Throws:

GSSException

getIntegState

public boolean getIntegState()

Specified by:

getIntegState in interface GSSContext

requestSequenceDet

public void requestSequenceDet(boolean state)
                        throws GSSException

Specified by:

requestSequenceDet in interface GSSContext

Throws:

GSSException

getSequenceDetState

public boolean getSequenceDetState()

Specified by:

getSequenceDetState in interface GSSContext

requestReplayDet

public void requestReplayDet(boolean state)
                      throws GSSException

Specified by:

requestReplayDet in interface GSSContext

Throws:

GSSException

getReplayDetState

public boolean getReplayDetState()

Specified by:

getReplayDetState in interface GSSContext

requestAnonymity

public void requestAnonymity(boolean state)
                      throws GSSException

Specified by:

requestAnonymity in interface GSSContext

Throws:

GSSException

getAnonymityState

public boolean getAnonymityState()

Specified by:

getAnonymityState in interface GSSContext

requestMutualAuth

public void requestMutualAuth(boolean state)
                       throws GSSException

Specified by:

requestMutualAuth in interface GSSContext

Throws:

GSSException

getMutualAuthState

public boolean getMutualAuthState()

Specified by:

getMutualAuthState in interface GSSContext

generateCertRequest

protected byte[] generateCertRequest(X509Certificate cert)
                              throws GeneralSecurityException

Throws:

GeneralSecurityException

verifyDelegatedCert

protected void verifyDelegatedCert(X509Certificate certificate)
                            throws GeneralSecurityException

Throws:

GeneralSecurityException

checkContext

protected void checkContext()
                     throws GSSException

Throws:

GSSException

getDelegationType

protected int getDelegationType(X509Certificate issuer)
                         throws GeneralSecurityException,
                                GSSException

Throws:

GeneralSecurityException

GSSException

setGssMode

protected void setGssMode(Object value)
                   throws GSSException

Throws:

GSSException

setDelegationType

protected void setDelegationType(Object value)
                          throws GSSException

Throws:

GSSException

setCheckContextExpired

protected void setCheckContextExpired(Object value)
                               throws GSSException

Throws:

GSSException

setRejectLimitedProxy

protected void setRejectLimitedProxy(Object value)
                              throws GSSException

Throws:

GSSException

setRequireClientAuth

protected void setRequireClientAuth(Object value)
                             throws GSSException

Throws:

GSSException

setAcceptNoClientCerts

protected void setAcceptNoClientCerts(Object value)
                               throws GSSException

Throws:

GSSException

setGrimPolicyHandler

protected void setGrimPolicyHandler(Object value)
                             throws GSSException

Throws:

GSSException

setProxyPolicyHandlers

protected void setProxyPolicyHandlers(Object value)
                               throws GSSException

Throws:

GSSException

setTrustedCertificates

protected void setTrustedCertificates(Object value)
                               throws GSSException

Throws:

GSSException

setOption

public void setOption(Oid option,
                      Object value)
               throws GSSException

Description copied from interface: ExtendedGSSContext

Sets a context option. It can be called by context initiator or acceptor but prior to the first call to initSecContext, acceptSecContext, initDelegation or acceptDelegation.

Specified by:

setOption in interface ExtendedGSSContext

Parameters:

option - option type.

value - option value.

Throws:

GSSException - containing the following major error codes: GSSException.FAILURE

getOption

public Object getOption(Oid option)
                 throws GSSException

Description copied from interface: ExtendedGSSContext

Gets a context option. It can be called by context initiator or acceptor.

Specified by:

getOption in interface ExtendedGSSContext

Parameters:

option - option type.

Returns:

value option value. Maybe be null.

Throws:

GSSException - containing the following major error codes: GSSException.FAILURE

initDelegation

public byte[] initDelegation(GSSCredential credential,
                             Oid mechanism,
                             int lifetime,
                             byte[] buf,
                             int off,
                             int len)
                      throws GSSException

Initiate the delegation of a credential. This function drives the initiating side of the credential delegation process. It is expected to be called in tandem with the acceptDelegation function.
The behavior of this function can be modified by GSSConstants.DELEGATION_TYPE and GSSConstants.GSS_MODE context options. The GSSConstants.DELEGATION_TYPE option controls delegation type to be performed. The GSSConstants.GSS_MODE option if set to GSIConstants.MODE_SSL results in tokens that are not wrapped.

Specified by:

initDelegation in interface ExtendedGSSContext

Parameters:

credential - The credential to be delegated. May be null in which case the credential associated with the security context is used.

mechanism - The desired security mechanism. May be null.

lifetime - The requested period of validity (seconds) of the delegated credential.

Returns:

A token that should be passed to acceptDelegation if isDelegationFinished returns false. May be null.

Throws:

GSSException - containing the following major error codes: GSSException.FAILURE

acceptDelegation

public byte[] acceptDelegation(int lifetime,
                               byte[] buf,
                               int off,
                               int len)
                        throws GSSException

Accept a delegated credential. This function drives the accepting side of the credential delegation process. It is expected to be called in tandem with the initDelegation function.
The behavior of this function can be modified by GSSConstants.GSS_MODE context option. The GSSConstants.GSS_MODE option if set to GSIConstants.MODE_SSL results in tokens that are not wrapped.

Specified by:

acceptDelegation in interface ExtendedGSSContext

Parameters:

lifetime - The requested period of validity (seconds) of the delegated credential.

Returns:

A token that should be passed to initDelegation if isDelegationFinished returns false. May be null.

Throws:

GSSException - containing the following major error codes: GSSException.FAILURE

getDelegatedCredential

public GSSCredential getDelegatedCredential()

Description copied from interface: ExtendedGSSContext

Returns the delegated credential that was delegated using the initDelegation and acceptDelegation functions. This is to be called on the delegation accepting side once once isDelegationFinished returns true.

Specified by:

getDelegatedCredential in interface ExtendedGSSContext

Returns:

The delegated credential. Might be null if credential delegation is not finished.

isDelegationFinished

public boolean isDelegationFinished()

Description copied from interface: ExtendedGSSContext

Used during delegation to determine the state of the delegation.

Specified by:

isDelegationFinished in interface ExtendedGSSContext

Returns:

true if delegation was completed, false otherwise.

inquireByOid

public Object inquireByOid(Oid oid)
                    throws GSSException

Retrieves arbitrary data about this context. Currently supported oid:

• GSSConstants.X509_CERT_CHAIN returns certificate chain of the peer (X509Certificate[]).

Specified by:

inquireByOid in interface ExtendedGSSContext

Parameters:

oid - the oid of the information desired.

Returns:

the information desired. Might be null.

Throws:

GSSException - containing the following major error codes: GSSException.FAILURE

getWrapSizeLimit

public int getWrapSizeLimit(int qop,
                            boolean confReq,
                            int maxTokenSize)
                     throws GSSException

Currently not implemented.

Specified by:

getWrapSizeLimit in interface GSSContext

Throws:

GSSException

wrap

public void wrap(InputStream inStream,
                 OutputStream outStream,
                 MessageProp msgProp)
          throws GSSException

Currently not implemented.

Specified by:

wrap in interface GSSContext

Throws:

GSSException

unwrap

public void unwrap(InputStream inStream,
                   OutputStream outStream,
                   MessageProp msgProp)
            throws GSSException

Currently not implemented.

Specified by:

unwrap in interface GSSContext

Throws:

GSSException

getMIC

public void getMIC(InputStream inStream,
                   OutputStream outStream,
                   MessageProp msgProp)
            throws GSSException

Currently not implemented.

Specified by:

getMIC in interface GSSContext

Throws:

GSSException

verifyMIC

public void verifyMIC(InputStream tokStream,
                      InputStream msgStream,
                      MessageProp msgProp)
               throws GSSException

Currently not implemented.

Specified by:

verifyMIC in interface GSSContext

Throws:

GSSException

setChannelBinding

public void setChannelBinding(ChannelBinding cb)
                       throws GSSException

Currently not implemented.

Specified by:

setChannelBinding in interface GSSContext

Throws:

GSSException

isTransferable

public boolean isTransferable()
                       throws GSSException

Currently not implemented.

Specified by:

isTransferable in interface GSSContext

Throws:

GSSException

export

public byte[] export()
              throws GSSException

Currently not implemented.

Specified by:

export in interface GSSContext

Throws:

GSSException