• Home
• Globus Online
• Globus Toolkit
• dev.globus
• About Globus

Home -> Cog -> Distribution -> 1.1 -> Api-new -> Org -> Globus -> Gsi -> Gssapi

org.globus.gsi.gssapi
Class GlobusGSSContextImpl

java.lang.Object
  |
  +--org.globus.gsi.gssapi.GlobusGSSContextImpl

All Implemented Interfaces:

ExtendedGSSContext, GSSContext

public class GlobusGSSContextImpl

extends Object

implements ExtendedGSSContext

Implementation of SSL/GSI mechanism for Java GSS-API. The implementation is based on the PureTLS library (for SSL API) and the BouncyCastle library (for certificate processing API).
The implementation is not designed to be thread-safe.

Field Summary

protected boolean	anonymity
protected BouncyCastleCertProcessingFactory	certFactory
protected Boolean	checkContextExpiration
protected COM.claymoresystems.ptls.SSLConn	conn
protected PureTLSContext	context
protected boolean	credentialDelegation
protected GlobusGSSCredentialImpl	ctxCred Credential of this context.
protected ExtendedGSSCredential	delegatedCred Credential delegated using delegation API
protected boolean	delegationFinished Delegation finished indicator
protected int	delegationState Delegation state
protected Integer	delegationType
protected ExtendedGSSCredential	delegCred Credential delegated during context establishment
protected boolean	encryption
protected boolean	established
protected GSSName	expectedTargetName Expected target name.
protected Date	goodUntil Context expiration date.
protected ProxyPolicyHandler	grimPolicyHandler
static int	GSI_WRAP Used to distinguish between a token created by wrap with GSSConstants.GSI_BIG QoP and a regular token created by wrap.
protected Integer	gssMode
protected TokenInputStream	in
protected KeyPair	keyPair Used during delegation
protected ByteArrayOutputStream	out
protected COM.claymoresystems.sslg.SSLPolicyInt	policy
protected Boolean	rejectLimitedProxy
protected Boolean	requireClientAuth
protected int	role Context role
protected GSSName	sourceName The name of the context initiator
protected int	state Handshake state
protected GSSName	targetName The name of the context acceptor
protected TrustedCertificates	tc

Fields inherited from interface org.ietf.jgss.GSSContext

DEFAULT_LIFETIME, INDEFINITE_LIFETIME

Constructor Summary

GlobusGSSContextImpl(GSSName target, GlobusGSSCredentialImpl cred)

Method Summary

byte[]	acceptDelegation(int lifetime, byte[] buf, int off, int len) Accept a delegated credential.
byte[]	acceptSecContext(byte[] inBuff, int off, int len) This function drives the accepting side of the context establishment process.
void	acceptSecContext(InputStream in, OutputStream out) It works just like acceptSecContext method.
protected void	checkContext()
void	dispose()
byte[]	export() Currently not implemented.
protected byte[]	generateCertRequest(X509Certificate cert)
boolean	getAnonymityState()
boolean	getConfState()
boolean	getCredDelegState()
GSSCredential	getDelegatedCredential() Returns the delegated credential that was delegated using the initDelegation and acceptDelegation functions.
protected int	getDelegationType(X509Certificate issuer)
GSSCredential	getDelegCred()
boolean	getIntegState()
int	getLifetime()
Oid	getMech()
byte[]	getMIC(byte[] inBuf, int off, int len, MessageProp prop) Returns a cryptographic MIC (message integrity check) of a specified message.
void	getMIC(InputStream inStream, OutputStream outStream, MessageProp msgProp) Currently not implemented.
boolean	getMutualAuthState()
Object	getOption(Oid option) Gets a context option.
boolean	getReplayDetState()
boolean	getSequenceDetState()
GSSName	getSrcName()
GSSName	getTargName()
int	getWrapSizeLimit(int qop, boolean confReq, int maxTokenSize) Currently not implemented.
byte[]	initDelegation(GSSCredential credential, Oid mechanism, int lifetime, byte[] buf, int off, int len) Initiate the delegation of a credential.
byte[]	initSecContext(byte[] inBuff, int off, int len) This function drives the initiating side of the context establishment process.
int	initSecContext(InputStream in, OutputStream out) It works just like initSecContext method.
boolean	isDelegationFinished() Used during delegation to determine the state of the delegation.
boolean	isEstablished()
boolean	isInitiator()
boolean	isProtReady()
boolean	isTransferable() Currently not implemented.
void	requestAnonymity(boolean state)
void	requestConf(boolean state)
void	requestCredDeleg(boolean state)
void	requestInteg(boolean state)
void	requestLifetime(int lifetime)
void	requestMutualAuth(boolean state)
void	requestReplayDet(boolean state)
void	requestSequenceDet(boolean state)
void	setChannelBinding(ChannelBinding cb) Currently not implemented.
protected void	setCheckContextExpired(Object value)
protected void	setDelegationType(Object value)
protected void	setGrimPolicyHandler(Object value)
protected void	setGssMode(Object value)
void	setOption(Oid option, Object value) Sets a context option.
protected void	setRejectLimitedProxy(Object value)
protected void	setRequireClientAuth(Object value)
protected void	setTrustedCertificates(Object value)
byte[]	unwrap(byte[] inBuf, int off, int len, MessageProp prop) Unwraps a token generated by wrap method on the other side of the context.
void	unwrap(InputStream inStream, OutputStream outStream, MessageProp msgProp) Currently not implemented.
protected void	verifyDelegatedCert(X509Certificate certificate)
void	verifyMIC(byte[] inTok, int tokOff, int tokLen, byte[] inMsg, int msgOff, int msgLen, MessageProp prop) Verifies a cryptographic MIC (message integrity check) of a specified message.
void	verifyMIC(InputStream tokStream, InputStream msgStream, MessageProp msgProp) Currently not implemented.
byte[]	wrap(byte[] inBuf, int off, int len, MessageProp prop) Wraps a message for integrity and protection.
void	wrap(InputStream inStream, OutputStream outStream, MessageProp msgProp) Currently not implemented.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

GSI_WRAP

public static final int GSI_WRAP

Used to distinguish between a token created by wrap with GSSConstants.GSI_BIG QoP and a regular token created by wrap.

state

protected int state

Handshake state

delegationState

protected int delegationState

Delegation state

delegatedCred

protected ExtendedGSSCredential delegatedCred

Credential delegated using delegation API

delegationFinished

protected boolean delegationFinished

Delegation finished indicator

credentialDelegation

protected boolean credentialDelegation

anonymity

protected boolean anonymity

encryption

protected boolean encryption

established

protected boolean established

sourceName

protected GSSName sourceName

The name of the context initiator

targetName

protected GSSName targetName

The name of the context acceptor

role

protected int role

Context role

delegCred

protected ExtendedGSSCredential delegCred

Credential delegated during context establishment

delegationType

protected Integer delegationType

gssMode

protected Integer gssMode

checkContextExpiration

protected Boolean checkContextExpiration

rejectLimitedProxy

protected Boolean rejectLimitedProxy

requireClientAuth

protected Boolean requireClientAuth

ctxCred

protected GlobusGSSCredentialImpl ctxCred

Credential of this context. Might be anonymous

expectedTargetName

protected GSSName expectedTargetName

Expected target name. Used for authorization in initiator

goodUntil

protected Date goodUntil

Context expiration date.

conn

protected COM.claymoresystems.ptls.SSLConn conn

context

protected PureTLSContext context

policy

protected COM.claymoresystems.sslg.SSLPolicyInt policy

in

protected TokenInputStream in

out

protected ByteArrayOutputStream out

certFactory

protected BouncyCastleCertProcessingFactory certFactory

keyPair

protected KeyPair keyPair

Used during delegation

tc

protected TrustedCertificates tc

grimPolicyHandler

protected ProxyPolicyHandler grimPolicyHandler

Constructor Detail

GlobusGSSContextImpl

public GlobusGSSContextImpl(GSSName target,
                            GlobusGSSCredentialImpl cred)
                     throws GSSException

Parameters:

target - expected target name. Can be null.

cred - credential. Cannot be null. Might be anonymous.

Method Detail

acceptSecContext

public byte[] acceptSecContext(byte[] inBuff,
                               int off,
                               int len)
                        throws GSSException

This function drives the accepting side of the context establishment process. It is expected to be called in tandem with the initSecContext function.
The behavior of context establishment process can be modified by GSSConstants.GSS_MODE and GSSConstants.REJECT_LIMITED_PROXY context options. If the GSSConstants.GSS_MODE option is set to GSIConstants.MODE_SSL the context establishment process will be compatible with regular SSL (no credential delegation support). If the option is set to GSIConstants.MODE_GSI credential delegation during context establishment process will be accepted. If the GSSConstants.REJECT_LIMITED_PROXY option is enabled, a peer presenting limited proxy credential will be automatically rejected and the context establishment process will be aborted.

Specified by:

acceptSecContext in interface GSSContext

Returns:

a byte[] containing the token to be sent to the peer. null indicates that no token is generated (needs more data)

initSecContext

public byte[] initSecContext(byte[] inBuff,
                             int off,
                             int len)
                      throws GSSException

This function drives the initiating side of the context establishment process. It is expected to be called in tandem with the acceptSecContext function.
The behavior of context establishment process can be modified by GSSConstants.GSS_MODE, GSSConstants.DELEGATION_TYPE, and GSSConstants.REJECT_LIMITED_PROXY context options. If the GSSConstants.GSS_MODE option is set to GSIConstants.MODE_SSL the context establishment process will be compatible with regular SSL (no credential delegation support). If the option is set to GSIConstants.GSS_MODE_GSI credential delegation during context establishment process will performed. The delegation type to be performed can be set using the GSSConstants.DELEGATION_TYPE context option. If the GSSConstants.REJECT_LIMITED_PROXY option is enabled, a peer presenting limited proxy credential will be automatically rejected and the context establishment process will be aborted.

Specified by:

initSecContext in interface GSSContext

Returns:

a byte[] containing the token to be sent to the peer. null indicates that no token is generated (needs more data).

wrap

public byte[] wrap(byte[] inBuf,
                   int off,
                   int len,
                   MessageProp prop)
            throws GSSException

Wraps a message for integrity and protection. Returns a GSI-wrapped token when privacy is not requested and QOP requested is set to GSSConstants.GSI_BIG. Otherwise a regular SSL-wrapped token is returned.

Specified by:

wrap in interface GSSContext

unwrap

public byte[] unwrap(byte[] inBuf,
                     int off,
                     int len,
                     MessageProp prop)
              throws GSSException

Unwraps a token generated by wrap method on the other side of the context. The input token can either be a regular SSL-wrapped token or GSI-wrapped token. Upon return from the method the MessageProp object will contain the applied QOP and privacy state of the message. In case of GSI-wrapped token the applied QOP will be set to GSSConstants.GSI_BIG

Specified by:

unwrap in interface GSSContext

dispose

public void dispose()
             throws GSSException

Specified by:

dispose in interface GSSContext

isEstablished

public boolean isEstablished()

Specified by:

isEstablished in interface GSSContext

requestCredDeleg

public void requestCredDeleg(boolean state)
                      throws GSSException

Specified by:

requestCredDeleg in interface GSSContext

getCredDelegState

public boolean getCredDelegState()

Specified by:

getCredDelegState in interface GSSContext

isInitiator

public boolean isInitiator()
                    throws GSSException

Specified by:

isInitiator in interface GSSContext

isProtReady

public boolean isProtReady()

Specified by:

isProtReady in interface GSSContext

requestLifetime

public void requestLifetime(int lifetime)
                     throws GSSException

Specified by:

requestLifetime in interface GSSContext

getLifetime

public int getLifetime()

Specified by:

getLifetime in interface GSSContext

getMech

public Oid getMech()
            throws GSSException

Specified by:

getMech in interface GSSContext

getDelegCred

public GSSCredential getDelegCred()
                           throws GSSException

Specified by:

getDelegCred in interface GSSContext

requestConf

public void requestConf(boolean state)
                 throws GSSException

Specified by:

requestConf in interface GSSContext

getConfState

public boolean getConfState()

Specified by:

getConfState in interface GSSContext

getMIC

public byte[] getMIC(byte[] inBuf,
                     int off,
                     int len,
                     MessageProp prop)
              throws GSSException

Returns a cryptographic MIC (message integrity check) of a specified message.

Specified by:

getMIC in interface GSSContext

verifyMIC

public void verifyMIC(byte[] inTok,
                      int tokOff,
                      int tokLen,
                      byte[] inMsg,
                      int msgOff,
                      int msgLen,
                      MessageProp prop)
               throws GSSException

Verifies a cryptographic MIC (message integrity check) of a specified message.

Specified by:

verifyMIC in interface GSSContext

initSecContext

public int initSecContext(InputStream in,
                          OutputStream out)
                   throws GSSException

It works just like initSecContext method. It reads one SSL token from input stream, calls acceptSecContext method and writes the output token to the output stream (if any) SSL token is not read on the initial call.

Specified by:

initSecContext in interface GSSContext

acceptSecContext

public void acceptSecContext(InputStream in,
                             OutputStream out)
                      throws GSSException

It works just like acceptSecContext method. It reads one SSL token from input stream, calls acceptSecContext method and writes the output token to the output stream (if any)

Specified by:

acceptSecContext in interface GSSContext

getSrcName

public GSSName getSrcName()
                   throws GSSException

Specified by:

getSrcName in interface GSSContext

getTargName

public GSSName getTargName()
                    throws GSSException

Specified by:

getTargName in interface GSSContext

requestInteg

public void requestInteg(boolean state)
                  throws GSSException

Specified by:

requestInteg in interface GSSContext

getIntegState

public boolean getIntegState()

Specified by:

getIntegState in interface GSSContext

requestSequenceDet

public void requestSequenceDet(boolean state)
                        throws GSSException

Specified by:

requestSequenceDet in interface GSSContext

getSequenceDetState

public boolean getSequenceDetState()

Specified by:

getSequenceDetState in interface GSSContext

requestReplayDet

public void requestReplayDet(boolean state)
                      throws GSSException

Specified by:

requestReplayDet in interface GSSContext

getReplayDetState

public boolean getReplayDetState()

Specified by:

getReplayDetState in interface GSSContext

requestAnonymity

public void requestAnonymity(boolean state)
                      throws GSSException

Specified by:

requestAnonymity in interface GSSContext

getAnonymityState

public boolean getAnonymityState()

Specified by:

getAnonymityState in interface GSSContext

requestMutualAuth

public void requestMutualAuth(boolean state)
                       throws GSSException

Specified by:

requestMutualAuth in interface GSSContext

getMutualAuthState

public boolean getMutualAuthState()

Specified by:

getMutualAuthState in interface GSSContext

generateCertRequest

protected byte[] generateCertRequest(X509Certificate cert)
                              throws GeneralSecurityException

verifyDelegatedCert

protected void verifyDelegatedCert(X509Certificate certificate)
                            throws GeneralSecurityException

checkContext

protected void checkContext()
                     throws GSSException

getDelegationType

protected int getDelegationType(X509Certificate issuer)
                         throws GeneralSecurityException,
                                GSSException

setGssMode

protected void setGssMode(Object value)
                   throws GSSException

setDelegationType

protected void setDelegationType(Object value)
                          throws GSSException

setCheckContextExpired

protected void setCheckContextExpired(Object value)
                               throws GSSException

setRejectLimitedProxy

protected void setRejectLimitedProxy(Object value)
                              throws GSSException

setRequireClientAuth

protected void setRequireClientAuth(Object value)
                             throws GSSException

setGrimPolicyHandler

protected void setGrimPolicyHandler(Object value)
                             throws GSSException

setTrustedCertificates

protected void setTrustedCertificates(Object value)
                               throws GSSException

setOption

public void setOption(Oid option,
                      Object value)
               throws GSSException

Description copied from interface: ExtendedGSSContext

Sets a context option. It can be called by context initiator or acceptor but prior to the first call to initSecContext, acceptSecContext, initDelegation or acceptDelegation.

Specified by:

setOption in interface ExtendedGSSContext

Following copied from interface: org.gridforum.jgss.ExtendedGSSContext

Parameters:

option - option type.

value - option value.

Throws:

GSSException - containing the following major error codes: GSSException.FAILURE

getOption

public Object getOption(Oid option)
                 throws GSSException

Description copied from interface: ExtendedGSSContext

Gets a context option. It can be called by context initiator or acceptor.

Specified by:

getOption in interface ExtendedGSSContext

Following copied from interface: org.gridforum.jgss.ExtendedGSSContext

Parameters:

option - option type.

Returns:

value option value. Maybe be null.

Throws:

GSSException - containing the following major error codes: GSSException.FAILURE

initDelegation

public byte[] initDelegation(GSSCredential credential,
                             Oid mechanism,
                             int lifetime,
                             byte[] buf,
                             int off,
                             int len)
                      throws GSSException

Initiate the delegation of a credential. This function drives the initiating side of the credential delegation process. It is expected to be called in tandem with the acceptDelegation function.
The behavior of this function can be modified by GSSConstants.DELEGATION_TYPE and GSSConstants.GSS_MODE context options. The GSSConstants.DELEGATION_TYPE option controls delegation type to be performed. The GSSConstants.GSS_MODE option if set to GSIConstants.MODE_SSL results in tokens that are not wrapped.

Specified by:

initDelegation in interface ExtendedGSSContext

Parameters:

cred - The credential to be delegated. May be null in which case the credential associated with the security context is used.

mechanism - The desired security mechanism. May be null.

lifetime - The requested period of validity (seconds) of the delegated credential.

Returns:

A token that should be passed to acceptDelegation if isDelegationFinished returns false. May be null.

Throws:

GSSException - containing the following major error codes: GSSException.FAILURE

acceptDelegation

public byte[] acceptDelegation(int lifetime,
                               byte[] buf,
                               int off,
                               int len)
                        throws GSSException

Accept a delegated credential. This function drives the accepting side of the credential delegation process. It is expected to be called in tandem with the initDelegation function.
The behavior of this function can be modified by GSSConstants.GSS_MODE context option. The GSSConstants.GSS_MODE option if set to GSIConstants.MODE_SSL results in tokens that are not wrapped.

Specified by:

acceptDelegation in interface ExtendedGSSContext

Parameters:

lifetime - The requested period of validity (seconds) of the delegated credential.

Returns:

A token that should be passed to initDelegation if isDelegationFinished returns false. May be null.

Throws:

GSSException - containing the following major error codes: GSSException.FAILURE

getDelegatedCredential

public GSSCredential getDelegatedCredential()

Description copied from interface: ExtendedGSSContext

Returns the delegated credential that was delegated using the initDelegation and acceptDelegation functions. This is to be called on the delegation accepting side once once isDelegationFinished returns true.

Specified by:

getDelegatedCredential in interface ExtendedGSSContext

Following copied from interface: org.gridforum.jgss.ExtendedGSSContext

Returns:

The delegated credential. Might be null if credential delegation is not finished.

isDelegationFinished

public boolean isDelegationFinished()

Description copied from interface: ExtendedGSSContext

Used during delegation to determine the state of the delegation.

Specified by:

isDelegationFinished in interface ExtendedGSSContext

Following copied from interface: org.gridforum.jgss.ExtendedGSSContext

Returns:

true if delegation was completed, false otherwise.

getWrapSizeLimit

public int getWrapSizeLimit(int qop,
                            boolean confReq,
                            int maxTokenSize)
                     throws GSSException

Currently not implemented.

Specified by:

getWrapSizeLimit in interface GSSContext

wrap

public void wrap(InputStream inStream,
                 OutputStream outStream,
                 MessageProp msgProp)
          throws GSSException

Currently not implemented.

Specified by:

wrap in interface GSSContext

unwrap

public void unwrap(InputStream inStream,
                   OutputStream outStream,
                   MessageProp msgProp)
            throws GSSException

Currently not implemented.

Specified by:

unwrap in interface GSSContext

getMIC

public void getMIC(InputStream inStream,
                   OutputStream outStream,
                   MessageProp msgProp)
            throws GSSException

Currently not implemented.

Specified by:

getMIC in interface GSSContext

verifyMIC

public void verifyMIC(InputStream tokStream,
                      InputStream msgStream,
                      MessageProp msgProp)
               throws GSSException

Currently not implemented.

Specified by:

verifyMIC in interface GSSContext

setChannelBinding

public void setChannelBinding(ChannelBinding cb)
                       throws GSSException

Currently not implemented.

Specified by:

setChannelBinding in interface GSSContext

isTransferable

public boolean isTransferable()
                       throws GSSException

Currently not implemented.

Specified by:

isTransferable in interface GSSContext

export

public byte[] export()
              throws GSSException

Currently not implemented.

Specified by:

export in interface GSSContext