Package org.dcache.xrootd.plugins.authn.gsi

Class GSIClientRequestHandler

    • Field Detail

      • LOGGER

        protected static org.slf4j.Logger LOGGER

    • Method Detail

      • handleCertReqStep

        public OutboundAuthenticationRequest handleCertReqStep()
                                                throws XrootdException
        Handle certreq step. This code is the same between pre-4.9 and 4.9+. After being told by the server that authentication is required, the client initiates the handshake. First, we check the parsed protocol to make sure that the ca identities are recognized. Next, we build a request containing the kXRS_rtag and send it to the server to be signed.
        Throws:
        XrootdException

      • validateCertificate

        protected java.security.cert.X509Certificate validateCertificate​(InboundAuthenticationResponse inbound)
                                                          throws java.io.IOException,
                                                                 java.security.GeneralSecurityException,
                                                                 XrootdException
        Throws:
        java.io.IOException
        java.security.GeneralSecurityException
        XrootdException

      • handleCertStep

        protected OutboundAuthenticationRequest handleCertStep​(InboundAuthenticationResponse response,
                                                       io.netty.channel.ChannelHandlerContext ctx,
                                                       XrootdSecurityProtocol.BucketType dhParamBucket,
                                                       boolean signDhParams,
                                                       java.util.Optional<java.lang.String> publicKeyPem,
                                                       java.util.Optional<java.lang.String> userName)
                                                throws XrootdException
        The processing of this step differs between versions only in these details: (A) the bucket containing DH params: pre-4.9 = kXRS_puk, 4.9 = kXRS_cipher (B) DH parameters are signed using the private key: pre-4.9 no, 4.9 yes (C) the public key of the client is included in a separate bucket: pre-4.9 no, 4.9 in kXRS_puk (D) a username bucket is included pre-4.9 no, 4.9 yes Otherwise, all the following must be done: - validate cipher and digest - extract and validate the server certificate - verify the rtag challenge sent previously - finalize the dh session from the dh params sent by server - create the main bucket with signed challenge, new challenge and serialized certificate of client - add buckets for cipher, digest, dhParams, and optionally publicKey and username.
        Throws:
        XrootdException

      • getClientCredential

        protected abstract eu.emi.security.authn.x509.X509Credential getClientCredential()

      • getClientOpts

        protected abstract java.util.Optional<java.lang.Integer> getClientOpts()

      • usePadded

        protected abstract boolean usePadded()