Package org.globus.gsi.gssapi

Class GlobusGSSContextImpl

  • All Implemented Interfaces:
    ExtendedGSSContext, org.ietf.jgss.GSSContext
    public class GlobusGSSContextImpl
extends java.lang.Object
implements ExtendedGSSContext
    Implementation of SSL/GSI mechanism for Java GSS-API. The implementation is based on JSSE (for SSL API) and the BouncyCastle library (for certificate processing API).
    The implementation is not designed to be thread-safe.

    • Field Detail

      • state

        protected int state
        Handshake state

      • delegationState

        protected int delegationState
        Delegation state

      • delegationFinished

        protected boolean delegationFinished
        Delegation finished indicator

      • credentialDelegation

        protected boolean credentialDelegation

      • anonymity

        protected boolean anonymity

      • encryption

        protected boolean encryption

      • established

        protected boolean established

      • sourceName

        protected org.ietf.jgss.GSSName sourceName
        The name of the context initiator

      • targetName

        protected org.ietf.jgss.GSSName targetName
        The name of the context acceptor

      • role

        protected int role
        Context role

      • gssMode

        protected java.lang.Integer gssMode

      • checkContextExpiration

        protected java.lang.Boolean checkContextExpiration

      • rejectLimitedProxy

        protected java.lang.Boolean rejectLimitedProxy

      • requireClientAuth

        protected java.lang.Boolean requireClientAuth

      • acceptNoClientCerts

        protected java.lang.Boolean acceptNoClientCerts

      • requireAuthzWithDelegation

        protected java.lang.Boolean requireAuthzWithDelegation

      • expectedTargetName

        protected org.ietf.jgss.GSSName expectedTargetName
        Expected target name. Used for authorization in initiator

      • goodUntil

        protected java.util.Date goodUntil
        Context expiration date.

      • sslContext

        protected javax.net.ssl.SSLContext sslContext

      • sslEngine

        protected javax.net.ssl.SSLEngine sslEngine

      • conn

        protected boolean conn

      • keyPair

        protected java.security.KeyPair keyPair
        Used during delegation

      • proxyPolicyHandlers

        protected java.util.Map proxyPolicyHandlers

      • peerLimited

        protected java.lang.Boolean peerLimited
        Limited peer credentials

    • Constructor Detail

      • GlobusGSSContextImpl

        public GlobusGSSContextImpl​(org.ietf.jgss.GSSName target,
                            GlobusGSSCredentialImpl cred)
                     throws org.ietf.jgss.GSSException
        Parameters:
        target - expected target name. Can be null.
        cred - credential. Cannot be null. Might be anonymous.
        Throws:
        org.ietf.jgss.GSSException

    • Method Detail

      • acceptSecContext

        public byte[] acceptSecContext​(byte[] inBuff,
                               int off,
                               int len)
                        throws org.ietf.jgss.GSSException
        This function drives the accepting side of the context establishment process. It is expected to be called in tandem with the initSecContext function.
        The behavior of context establishment process can be modified by GSSConstants.GSS_MODE and GSSConstants.REJECT_LIMITED_PROXY context options. If the GSSConstants.GSS_MODE option is set to GSIConstants.MODE_SSL the context establishment process will be compatible with regular SSL (no credential delegation support). If the option is set to GSIConstants.MODE_GSI credential delegation during context establishment process will be accepted. If the GSSConstants.REJECT_LIMITED_PROXY option is enabled, a peer presenting limited proxy credential will be automatically rejected and the context establishment process will be aborted.
        Specified by:
        acceptSecContext in interface org.ietf.jgss.GSSContext
        Returns:
        a byte[] containing the token to be sent to the peer. null indicates that no token is generated (needs more data)
        Throws:
        org.ietf.jgss.GSSException

      • initSecContext

        public byte[] initSecContext​(byte[] inBuff,
                             int off,
                             int len)
                      throws org.ietf.jgss.GSSException
        This function drives the initiating side of the context establishment process. It is expected to be called in tandem with the acceptSecContext function.
        The behavior of context establishment process can be modified by GSSConstants.GSS_MODE, GSSConstants.DELEGATION_TYPE, and GSSConstants.REJECT_LIMITED_PROXY context options. If the GSSConstants.GSS_MODE option is set to GSIConstants.MODE_SSL the context establishment process will be compatible with regular SSL (no credential delegation support). If the option is set to GSIConstants.GSS_MODE_GSI credential delegation during context establishment process will performed. The delegation type to be performed can be set using the GSSConstants.DELEGATION_TYPE context option. If the GSSConstants.REJECT_LIMITED_PROXY option is enabled, a peer presenting limited proxy credential will be automatically rejected and the context establishment process will be aborted.
        Specified by:
        initSecContext in interface org.ietf.jgss.GSSContext
        Returns:
        a byte[] containing the token to be sent to the peer. null indicates that no token is generated (needs more data).
        Throws:
        org.ietf.jgss.GSSException

      • wrap

        public byte[] wrap​(byte[] inBuf,
                   int off,
                   int len,
                   org.ietf.jgss.MessageProp prop)
            throws org.ietf.jgss.GSSException
        Wraps a message for integrity and protection. A regular SSL-wrapped token is returned.
        Specified by:
        wrap in interface org.ietf.jgss.GSSContext
        Throws:
        org.ietf.jgss.GSSException

      • unwrap

        public byte[] unwrap​(byte[] inBuf,
                     int off,
                     int len,
                     org.ietf.jgss.MessageProp prop)
              throws org.ietf.jgss.GSSException
        Unwraps a token generated by wrap method on the other side of the context.
        Specified by:
        unwrap in interface org.ietf.jgss.GSSContext
        Throws:
        org.ietf.jgss.GSSException

      • dispose

        public void dispose()
             throws org.ietf.jgss.GSSException
        Specified by:
        dispose in interface org.ietf.jgss.GSSContext
        Throws:
        org.ietf.jgss.GSSException

      • isEstablished

        public boolean isEstablished()
        Specified by:
        isEstablished in interface org.ietf.jgss.GSSContext

      • requestCredDeleg

        public void requestCredDeleg​(boolean state)
                      throws org.ietf.jgss.GSSException
        Specified by:
        requestCredDeleg in interface org.ietf.jgss.GSSContext
        Throws:
        org.ietf.jgss.GSSException

      • getCredDelegState

        public boolean getCredDelegState()
        Specified by:
        getCredDelegState in interface org.ietf.jgss.GSSContext

      • isInitiator

        public boolean isInitiator()
                    throws org.ietf.jgss.GSSException
        Specified by:
        isInitiator in interface org.ietf.jgss.GSSContext
        Throws:
        org.ietf.jgss.GSSException

      • isProtReady

        public boolean isProtReady()
        Specified by:
        isProtReady in interface org.ietf.jgss.GSSContext

      • requestLifetime

        public void requestLifetime​(int lifetime)
                     throws org.ietf.jgss.GSSException
        Specified by:
        requestLifetime in interface org.ietf.jgss.GSSContext
        Throws:
        org.ietf.jgss.GSSException

      • getLifetime

        public int getLifetime()
        Specified by:
        getLifetime in interface org.ietf.jgss.GSSContext

      • getMech

        public org.ietf.jgss.Oid getMech()
                          throws org.ietf.jgss.GSSException
        Specified by:
        getMech in interface org.ietf.jgss.GSSContext
        Throws:
        org.ietf.jgss.GSSException

      • getDelegCred

        public org.ietf.jgss.GSSCredential getDelegCred()
                                         throws org.ietf.jgss.GSSException
        Specified by:
        getDelegCred in interface org.ietf.jgss.GSSContext
        Throws:
        org.ietf.jgss.GSSException

      • requestConf

        public void requestConf​(boolean state)
                 throws org.ietf.jgss.GSSException
        Specified by:
        requestConf in interface org.ietf.jgss.GSSContext
        Throws:
        org.ietf.jgss.GSSException

      • getConfState

        public boolean getConfState()
        Specified by:
        getConfState in interface org.ietf.jgss.GSSContext

      • getMIC

        public byte[] getMIC​(byte[] inBuf,
                     int off,
                     int len,
                     org.ietf.jgss.MessageProp prop)
              throws org.ietf.jgss.GSSException
        Returns a cryptographic MIC (message integrity check) of a specified message.
        Specified by:
        getMIC in interface org.ietf.jgss.GSSContext
        Throws:
        org.ietf.jgss.GSSException

      • verifyMIC

        public void verifyMIC​(byte[] inTok,
                      int tokOff,
                      int tokLen,
                      byte[] inMsg,
                      int msgOff,
                      int msgLen,
                      org.ietf.jgss.MessageProp prop)
               throws org.ietf.jgss.GSSException
        Verifies a cryptographic MIC (message integrity check) of a specified message.
        Specified by:
        verifyMIC in interface org.ietf.jgss.GSSContext
        Throws:
        org.ietf.jgss.GSSException

      • initSecContext

        public int initSecContext​(java.io.InputStream in,
                          java.io.OutputStream out)
                   throws org.ietf.jgss.GSSException
        It works just like initSecContext method. It reads one SSL token from input stream, calls initSecContext method and writes the output token to the output stream (if any) SSL token is not read on the initial call.
        Specified by:
        initSecContext in interface org.ietf.jgss.GSSContext
        Throws:
        org.ietf.jgss.GSSException

      • acceptSecContext

        public void acceptSecContext​(java.io.InputStream in,
                             java.io.OutputStream out)
                      throws org.ietf.jgss.GSSException
        It works just like acceptSecContext method. It reads one SSL token from input stream, calls acceptSecContext method and writes the output token to the output stream (if any)
        Specified by:
        acceptSecContext in interface org.ietf.jgss.GSSContext
        Throws:
        org.ietf.jgss.GSSException

      • getSrcName

        public org.ietf.jgss.GSSName getSrcName()
                                 throws org.ietf.jgss.GSSException
        Specified by:
        getSrcName in interface org.ietf.jgss.GSSContext
        Throws:
        org.ietf.jgss.GSSException

      • getTargName

        public org.ietf.jgss.GSSName getTargName()
                                  throws org.ietf.jgss.GSSException
        Specified by:
        getTargName in interface org.ietf.jgss.GSSContext
        Throws:
        org.ietf.jgss.GSSException

      • requestInteg

        public void requestInteg​(boolean state)
                  throws org.ietf.jgss.GSSException
        Specified by:
        requestInteg in interface org.ietf.jgss.GSSContext
        Throws:
        org.ietf.jgss.GSSException

      • getIntegState

        public boolean getIntegState()
        Specified by:
        getIntegState in interface org.ietf.jgss.GSSContext

      • requestSequenceDet

        public void requestSequenceDet​(boolean state)
                        throws org.ietf.jgss.GSSException
        Specified by:
        requestSequenceDet in interface org.ietf.jgss.GSSContext
        Throws:
        org.ietf.jgss.GSSException

      • getSequenceDetState

        public boolean getSequenceDetState()
        Specified by:
        getSequenceDetState in interface org.ietf.jgss.GSSContext

      • requestReplayDet

        public void requestReplayDet​(boolean state)
                      throws org.ietf.jgss.GSSException
        Specified by:
        requestReplayDet in interface org.ietf.jgss.GSSContext
        Throws:
        org.ietf.jgss.GSSException

      • getReplayDetState

        public boolean getReplayDetState()
        Specified by:
        getReplayDetState in interface org.ietf.jgss.GSSContext

      • requestAnonymity

        public void requestAnonymity​(boolean state)
                      throws org.ietf.jgss.GSSException
        Specified by:
        requestAnonymity in interface org.ietf.jgss.GSSContext
        Throws:
        org.ietf.jgss.GSSException

      • getAnonymityState

        public boolean getAnonymityState()
        Specified by:
        getAnonymityState in interface org.ietf.jgss.GSSContext

      • requestMutualAuth

        public void requestMutualAuth​(boolean state)
                       throws org.ietf.jgss.GSSException
        Specified by:
        requestMutualAuth in interface org.ietf.jgss.GSSContext
        Throws:
        org.ietf.jgss.GSSException

      • getMutualAuthState

        public boolean getMutualAuthState()
        Specified by:
        getMutualAuthState in interface org.ietf.jgss.GSSContext

      • generateCertRequest

        protected byte[] generateCertRequest​(java.security.cert.X509Certificate cert)
                              throws java.security.GeneralSecurityException
        Throws:
        java.security.GeneralSecurityException

      • verifyDelegatedCert

        protected void verifyDelegatedCert​(java.security.cert.X509Certificate certificate)
                            throws java.security.GeneralSecurityException
        Throws:
        java.security.GeneralSecurityException

      • checkContext

        protected void checkContext()
                     throws org.ietf.jgss.GSSException
        Throws:
        org.ietf.jgss.GSSException

      • setGssMode

        protected void setGssMode​(java.lang.Object value)
                   throws org.ietf.jgss.GSSException
        Throws:
        org.ietf.jgss.GSSException

      • setDelegationType

        protected void setDelegationType​(java.lang.Object value)
                          throws org.ietf.jgss.GSSException
        Throws:
        org.ietf.jgss.GSSException

      • setCheckContextExpired

        protected void setCheckContextExpired​(java.lang.Object value)
                               throws org.ietf.jgss.GSSException
        Throws:
        org.ietf.jgss.GSSException

      • setRejectLimitedProxy

        protected void setRejectLimitedProxy​(java.lang.Object value)
                              throws org.ietf.jgss.GSSException
        Throws:
        org.ietf.jgss.GSSException

      • setRequireClientAuth

        protected void setRequireClientAuth​(java.lang.Object value)
                             throws org.ietf.jgss.GSSException
        Throws:
        org.ietf.jgss.GSSException

      • setRequireAuthzWithDelegation

        protected void setRequireAuthzWithDelegation​(java.lang.Object value)
                                      throws org.ietf.jgss.GSSException
        Throws:
        org.ietf.jgss.GSSException

      • setAcceptNoClientCerts

        protected void setAcceptNoClientCerts​(java.lang.Object value)
                               throws org.ietf.jgss.GSSException
        Throws:
        org.ietf.jgss.GSSException

      • setProxyPolicyHandlers

        protected void setProxyPolicyHandlers​(java.lang.Object value)
                               throws org.ietf.jgss.GSSException
        Throws:
        org.ietf.jgss.GSSException

      • setTrustedCertificates

        protected void setTrustedCertificates​(java.lang.Object value)
                               throws org.ietf.jgss.GSSException
        Throws:
        org.ietf.jgss.GSSException

      • setOption

        public void setOption​(org.ietf.jgss.Oid option,
                      java.lang.Object value)
               throws org.ietf.jgss.GSSException
        Description copied from interface: ExtendedGSSContext
        Sets a context option. It can be called by context initiator or acceptor but prior to the first call to initSecContext, acceptSecContext, initDelegation or acceptDelegation.
        Specified by:
        setOption in interface ExtendedGSSContext
        Parameters:
        option - option type.
        value - option value.
        Throws:
        org.ietf.jgss.GSSException - containing the following major error codes: GSSException.FAILURE

      • getOption

        public java.lang.Object getOption​(org.ietf.jgss.Oid option)
                           throws org.ietf.jgss.GSSException
        Description copied from interface: ExtendedGSSContext
        Gets a context option. It can be called by context initiator or acceptor.
        Specified by:
        getOption in interface ExtendedGSSContext
        Parameters:
        option - option type.
        Returns:
        value option value. Maybe be null.
        Throws:
        org.ietf.jgss.GSSException - containing the following major error codes: GSSException.FAILURE

      • initDelegation

        public byte[] initDelegation​(org.ietf.jgss.GSSCredential credential,
                             org.ietf.jgss.Oid mechanism,
                             int lifetime,
                             byte[] buf,
                             int off,
                             int len)
                      throws org.ietf.jgss.GSSException
        Initiate the delegation of a credential. This function drives the initiating side of the credential delegation process. It is expected to be called in tandem with the acceptDelegation function.
        The behavior of this function can be modified by GSSConstants.DELEGATION_TYPE and GSSConstants.GSS_MODE context options. The GSSConstants.DELEGATION_TYPE option controls delegation type to be performed. The GSSConstants.GSS_MODE option if set to GSIConstants.MODE_SSL results in tokens that are not wrapped.
        Specified by:
        initDelegation in interface ExtendedGSSContext
        Parameters:
        credential - The credential to be delegated. May be null in which case the credential associated with the security context is used.
        mechanism - The desired security mechanism. May be null.
        lifetime - The requested period of validity (seconds) of the delegated credential.
        Returns:
        A token that should be passed to acceptDelegation if isDelegationFinished returns false. May be null.
        Throws:
        org.ietf.jgss.GSSException - containing the following major error codes: GSSException.FAILURE

      • acceptDelegation

        public byte[] acceptDelegation​(int lifetime,
                               byte[] buf,
                               int off,
                               int len)
                        throws org.ietf.jgss.GSSException
        Accept a delegated credential. This function drives the accepting side of the credential delegation process. It is expected to be called in tandem with the initDelegation function.
        The behavior of this function can be modified by GSSConstants.GSS_MODE context option. The GSSConstants.GSS_MODE option if set to GSIConstants.MODE_SSL results in tokens that are not wrapped.
        Specified by:
        acceptDelegation in interface ExtendedGSSContext
        Parameters:
        lifetime - The requested period of validity (seconds) of the delegated credential.
        Returns:
        A token that should be passed to initDelegation if isDelegationFinished returns false. May be null.
        Throws:
        org.ietf.jgss.GSSException - containing the following major error codes: GSSException.FAILURE

      • getDelegatedCredential

        public org.ietf.jgss.GSSCredential getDelegatedCredential()
        Description copied from interface: ExtendedGSSContext
        Returns the delegated credential that was delegated using the initDelegation and acceptDelegation functions. This is to be called on the delegation accepting side once once isDelegationFinished returns true.
        Specified by:
        getDelegatedCredential in interface ExtendedGSSContext
        Returns:
        The delegated credential. Might be null if credential delegation is not finished.

      • isDelegationFinished

        public boolean isDelegationFinished()
        Description copied from interface: ExtendedGSSContext
        Used during delegation to determine the state of the delegation.
        Specified by:
        isDelegationFinished in interface ExtendedGSSContext
        Returns:
        true if delegation was completed, false otherwise.

      • inquireByOid

        public java.lang.Object inquireByOid​(org.ietf.jgss.Oid oid)
                              throws org.ietf.jgss.GSSException
        Retrieves arbitrary data about this context. Currently supported oid:
        Specified by:
        inquireByOid in interface ExtendedGSSContext
        Parameters:
        oid - the oid of the information desired.
        Returns:
        the information desired. Might be null.
        Throws:
        org.ietf.jgss.GSSException - containing the following major error codes: GSSException.FAILURE

      • setBannedCiphers

        public void setBannedCiphers​(java.lang.String[] ciphers)
        Description copied from interface: ExtendedGSSContext
        Specifies a list of ciphers that will not be used.
        Specified by:
        setBannedCiphers in interface ExtendedGSSContext
        Parameters:
        ciphers - The list of banned ciphers.

      • getWrapSizeLimit

        public int getWrapSizeLimit​(int qop,
                            boolean confReq,
                            int maxTokenSize)
                     throws org.ietf.jgss.GSSException
        Currently not implemented.
        Specified by:
        getWrapSizeLimit in interface org.ietf.jgss.GSSContext
        Throws:
        org.ietf.jgss.GSSException

      • wrap

        public void wrap​(java.io.InputStream inStream,
                 java.io.OutputStream outStream,
                 org.ietf.jgss.MessageProp msgProp)
          throws org.ietf.jgss.GSSException
        Currently not implemented.
        Specified by:
        wrap in interface org.ietf.jgss.GSSContext
        Throws:
        org.ietf.jgss.GSSException

      • unwrap

        public void unwrap​(java.io.InputStream inStream,
                   java.io.OutputStream outStream,
                   org.ietf.jgss.MessageProp msgProp)
            throws org.ietf.jgss.GSSException
        Currently not implemented.
        Specified by:
        unwrap in interface org.ietf.jgss.GSSContext
        Throws:
        org.ietf.jgss.GSSException

      • getMIC

        public void getMIC​(java.io.InputStream inStream,
                   java.io.OutputStream outStream,
                   org.ietf.jgss.MessageProp msgProp)
            throws org.ietf.jgss.GSSException
        Currently not implemented.
        Specified by:
        getMIC in interface org.ietf.jgss.GSSContext
        Throws:
        org.ietf.jgss.GSSException

      • verifyMIC

        public void verifyMIC​(java.io.InputStream tokStream,
                      java.io.InputStream msgStream,
                      org.ietf.jgss.MessageProp msgProp)
               throws org.ietf.jgss.GSSException
        Currently not implemented.
        Specified by:
        verifyMIC in interface org.ietf.jgss.GSSContext
        Throws:
        org.ietf.jgss.GSSException

      • setChannelBinding

        public void setChannelBinding​(org.ietf.jgss.ChannelBinding cb)
                       throws org.ietf.jgss.GSSException
        Currently not implemented.
        Specified by:
        setChannelBinding in interface org.ietf.jgss.GSSContext
        Throws:
        org.ietf.jgss.GSSException

      • isTransferable

        public boolean isTransferable()
                       throws org.ietf.jgss.GSSException
        Currently not implemented.
        Specified by:
        isTransferable in interface org.ietf.jgss.GSSContext
        Throws:
        org.ietf.jgss.GSSException

      • export

        public byte[] export()
              throws org.ietf.jgss.GSSException
        Currently not implemented.
        Specified by:
        export in interface org.ietf.jgss.GSSContext
        Throws:
        org.ietf.jgss.GSSException