GSIAuthenticationHandler (xrootd4j GSI authentication plugin 3.3.3 API)

java.lang.Object
- org.dcache.xrootd.plugins.authn.gsi.GSIAuthenticationHandler

All Implemented Interfaces:

AuthenticationHandler
```
public class GSIAuthenticationHandler
extends Object
implements AuthenticationHandler
```
Handler for xrootd-security message exchange based on the GSI protocol. Loosely based on the first reverse-engineering of xrootdsec-gsi, done by Martin Radicke.

Author:

tzangerl

Field Summary

Fields
Modifier and Type	Field and Description
`protected static eu.emi.security.authn.x509.helpers.ssl.HostnameToCertificateChecker`	`CERT_CHECKER`
`protected File`	`certDir`
`protected static int`	`CHALLENGE_BYTES`
`protected eu.emi.security.authn.x509.X509Credential`	`credential` certificates/keys/trust-anchors
`static String`	`CRYPTO_MODE`
`protected static org.slf4j.Logger`	`LOGGER`
`static String`	`PROTOCOL`
`static String`	`PROTOCOL_VERSION`
`protected static SecureRandom`	`RANDOM` cryptographic helper classes
`protected static String`	`SERVER_ASYNC_CIPHER_MODE` RSA algorithm, no block chaining mode (not a block-cipher) and PKCS1 padding, which is recommended to be used in conjunction with RSA
`protected static int`	`SERVER_SYNC_CIPHER_BLOCKSIZE` blocksize in bytes
`protected static String`	`SERVER_SYNC_CIPHER_MODE` the sync cipher mode supported by the server.
`protected static String`	`SERVER_SYNC_CIPHER_NAME`
`static String`	`SUPPORTED_CIPHER_ALGORITHMS` for now, we limit ourselves to AES-128 with CBC blockmode.
`static String`	`SUPPORTED_DIGESTS`
`protected eu.emi.security.authn.x509.X509CertChainValidator`	`validator`

Constructor Summary

Constructors
Constructor and Description
`GSIAuthenticationHandler(eu.emi.security.authn.x509.X509Credential hostCredential, eu.emi.security.authn.x509.X509CertChainValidator validator, String certDir)`

Method Summary

All Methods Instance Methods Concrete Methods
Modifier and Type	Method and Description
`XrootdResponse<AuthenticationRequest>`	`authenticate(AuthenticationRequest request)` dispatcher function that initializes the diffie-hellman key agreement session, checks the request for the correct protocol and calls the actual handler functions.
`protected void`	`checkCaIdentities(String[] caIdentities)`
`protected void`	`checkVersion(String version)`
`protected String`	`generateChallengeString()` Generate a new challenge string to be used in server-client communication
`String`	`getProtocol()`
`Subject`	`getSubject()`
`boolean`	`isCompleted()`

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

- Field Detail
  - PROTOCOL
```
public static final String PROTOCOL
```
    See Also:
    
    Constant Field Values
  - PROTOCOL_VERSION
```
public static final String PROTOCOL_VERSION
```
    See Also:
    
    Constant Field Values
  - CRYPTO_MODE
```
public static final String CRYPTO_MODE
```
    See Also:
    
    Constant Field Values
  - SUPPORTED_CIPHER_ALGORITHMS
```
public static final String SUPPORTED_CIPHER_ALGORITHMS
```
    for now, we limit ourselves to AES-128 with CBC blockmode.
    
    See Also:
    
    Constant Field Values
  - SUPPORTED_DIGESTS
```
public static final String SUPPORTED_DIGESTS
```
    See Also:
    
    Constant Field Values
  - SERVER_ASYNC_CIPHER_MODE
```
protected static final String SERVER_ASYNC_CIPHER_MODE
```
    RSA algorithm, no block chaining mode (not a block-cipher) and PKCS1 padding, which is recommended to be used in conjunction with RSA
    
    See Also:
    
    Constant Field Values
  - SERVER_SYNC_CIPHER_MODE
```
protected static final String SERVER_SYNC_CIPHER_MODE
```
    the sync cipher mode supported by the server. Unless this is made configurable (todo), it has to match the SUPPORTED_CIPHER_ALGORITHMS advertised by the server
    
    See Also:
    
    Constant Field Values
  - SERVER_SYNC_CIPHER_NAME
```
protected static final String SERVER_SYNC_CIPHER_NAME
```
    See Also:
    
    Constant Field Values
  - SERVER_SYNC_CIPHER_BLOCKSIZE
```
protected static final int SERVER_SYNC_CIPHER_BLOCKSIZE
```
    blocksize in bytes
    
    See Also:
    
    Constant Field Values
  - CHALLENGE_BYTES
```
protected static final int CHALLENGE_BYTES
```
    See Also:
    
    Constant Field Values
  - LOGGER
```
protected static final org.slf4j.Logger LOGGER
```
  - RANDOM
```
protected static final SecureRandom RANDOM
```
    cryptographic helper classes
  - CERT_CHECKER
```
protected static final eu.emi.security.authn.x509.helpers.ssl.HostnameToCertificateChecker CERT_CHECKER
```
  - credential
```
protected final eu.emi.security.authn.x509.X509Credential credential
```
    certificates/keys/trust-anchors
  - validator
```
protected final eu.emi.security.authn.x509.X509CertChainValidator validator
```
  - certDir
```
protected final File certDir
```
- Constructor Detail
  - GSIAuthenticationHandler
```
public GSIAuthenticationHandler(eu.emi.security.authn.x509.X509Credential hostCredential,
                                eu.emi.security.authn.x509.X509CertChainValidator validator,
                                String certDir)
```
- Method Detail
  - authenticate
```
public XrootdResponse<AuthenticationRequest> authenticate(AuthenticationRequest request)
                                                   throws XrootdException
```
    dispatcher function that initializes the diffie-hellman key agreement session, checks the request for the correct protocol and calls the actual handler functions.
    
    Specified by:
    
    authenticate in interface AuthenticationHandler
    
    Throws:
    
    XrootdException
    
    See Also:
    
    handleCertReqStep(org.dcache.xrootd.protocol.messages.AuthenticationRequest), handleCertStep(org.dcache.xrootd.protocol.messages.AuthenticationRequest)
  - getProtocol
```
public String getProtocol()
```
    Specified by:
    
    getProtocol in interface AuthenticationHandler
    
    Returns:
    
    the protocol supported by this client. The protocol string also contains metainformation such as the host-certificate subject hash.
  - getSubject
```
public Subject getSubject()
```
    Specified by:
    
    getSubject in interface AuthenticationHandler
  - isCompleted
```
public boolean isCompleted()
```
    Specified by:
    
    isCompleted in interface AuthenticationHandler
  - generateChallengeString
```
protected String generateChallengeString()
```
    Generate a new challenge string to be used in server-client communication
    
    Returns:
    
    challenge string
  - checkCaIdentities
```
protected void checkCaIdentities(String[] caIdentities)
                          throws XrootdException
```
    Throws:
    
    XrootdException
  - checkVersion
```
protected void checkVersion(String version)
```

Class GSIAuthenticationHandler

Field Summary

Constructor Summary

Method Summary

Methods inherited from class java.lang.Object

Field Detail

PROTOCOL

PROTOCOL_VERSION

CRYPTO_MODE

SUPPORTED_CIPHER_ALGORITHMS

SUPPORTED_DIGESTS

SERVER_ASYNC_CIPHER_MODE

SERVER_SYNC_CIPHER_MODE

SERVER_SYNC_CIPHER_NAME

SERVER_SYNC_CIPHER_BLOCKSIZE

CHALLENGE_BYTES

LOGGER

RANDOM

CERT_CHECKER

credential

validator

certDir

Constructor Detail

GSIAuthenticationHandler

Method Detail

authenticate

getProtocol

getSubject

isCompleted

generateChallengeString

checkCaIdentities

checkVersion