org.dcache.xrootd.plugins.authn.gsi

Class GSIClientRequestHandler

java.lang.Object

org.dcache.xrootd.plugins.authn.gsi.GSIRequestHandler

org.dcache.xrootd.plugins.authn.gsi.GSIClientRequestHandler

Direct Known Subclasses:

GSIPost49ClientRequestHandler, GSIPre49ClientRequestHandler

public abstract class GSIClientRequestHandler
extends GSIRequestHandler

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
protected class	GSIClientRequestHandler.CertRequestBuckets
protected class	GSIClientRequestHandler.CertResponseBuckets

Field Summary

Fields

Modifier and Type	Field and Description
protected XrootdTpcClient	client
protected static org.slf4j.Logger	LOGGER

Fields inherited from class org.dcache.xrootd.plugins.authn.gsi.GSIRequestHandler

ASYNC_CIPHER_MODE, bufferHandler, challenge, CHALLENGE_BYTES, credentialManager, CRYPTO_MODE, CRYPTO_MODE_NO_PAD, dhSession, lastRequest, MAX_TIME_SKEW, noPadding, PROTO_PRE_DELEGATION, PROTO_WITH_DELEGATION, PROTOCOL, PROTOCOL_VERSION, PUBLIC_KEY_ALGORITHM, PUBLIC_KEY_FOOTER, PUBLIC_KEY_HEADER, RANDOM, rsaSession, SESSION_IV_DELIM, SESSION_IV_LEN, SUPPORTED_CIPHER_ALGORITHM, SUPPORTED_DIGESTS, SYNC_CIPHER_BLOCKSIZE, SYNC_CIPHER_MODE_PADDED, SYNC_CIPHER_MODE_UNPADDED, SYNC_CIPHER_NAME

Constructor Summary

Constructors

Modifier	Constructor and Description
protected	GSIClientRequestHandler(GSICredentialManager credentialManager, XrootdTpcClient client)

Method Summary

Modifier and Type	Method and Description
protected abstract eu.emi.security.authn.x509.X509Credential	getClientCredential()
protected abstract Optional<Integer>	getClientOpts()
protected Optional<TpcSigverRequestEncoder>	getSigverEncoder(XrootdTpcClient client)
OutboundAuthenticationRequest	handleCertReqStep() Handle certreq step.
abstract OutboundAuthenticationRequest	handleCertStep(InboundAuthenticationResponse response, io.netty.channel.ChannelHandlerContext ctx)
protected OutboundAuthenticationRequest	handleCertStep(InboundAuthenticationResponse response, io.netty.channel.ChannelHandlerContext ctx, XrootdSecurityProtocol.BucketType dhParamBucket, boolean signDhParams, Optional<String> publicKeyPem, Optional<String> userName) The processing of this step differs between versions only in these details: (A) the bucket containing DH params: pre-4.9 = kXRS_puk, 4.9 = kXRS_cipher (B) DH parameters are signed using the private key: pre-4.9 no, 4.9 yes (C) the public key of the client is included in a separate bucket: pre-4.9 no, 4.9 in kXRS_puk (D) a username bucket is included pre-4.9 no, 4.9 yes Otherwise, all the following must be done: - validate cipher and digest - extract and validate the server certificate - verify the rtag challenge sent previously - finalize the dh session from the dh params sent by server - create the main bucket with signed challenge, new challenge and serialized certificate of client - add buckets for cipher, digest, dhParams, and optionally publicKey and username.
protected abstract void	loadClientCredential()
protected abstract boolean	usePadded()
protected X509Certificate	validateCertificate(InboundAuthenticationResponse inbound)
protected String	validateCiphers(InboundAuthenticationResponse inbound)
protected String	validateDigests(InboundAuthenticationResponse inbound)

Methods inherited from class org.dcache.xrootd.plugins.authn.gsi.GSIRequestHandler

decryptMainBucketWithSessionKey, dhParams, extractChain, finalizeSessionKey, findSessionIVLen, generateChallengeString, getProtocolVersion, getSyncCipherMode, isRequestExpired, postProcessMainBucket, processRSAVerification, updateLastRequest, validateCiphers, validateCryptoMode, validateDigests, verifySignedRTag

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

LOGGER

protected static org.slf4j.Logger LOGGER

client

protected final XrootdTpcClient client

Constructor Detail

GSIClientRequestHandler

protected GSIClientRequestHandler(GSICredentialManager credentialManager,
                                  XrootdTpcClient client)

Method Detail

handleCertReqStep

public OutboundAuthenticationRequest handleCertReqStep()
                                                throws XrootdException

Handle certreq step. This code is the same between pre-4.9 and 4.9+. After being told by the server that authentication is required, the client initiates the handshake. First, we check the parsed protocol to make sure that the ca identities are recognized. Next, we build a request containing the kXRS_rtag and send it to the server to be signed.

Throws:

XrootdException

handleCertStep

public abstract OutboundAuthenticationRequest handleCertStep(InboundAuthenticationResponse response,
                                                             io.netty.channel.ChannelHandlerContext ctx)
                                                      throws XrootdException

Throws:

XrootdException

getSigverEncoder

protected Optional<TpcSigverRequestEncoder> getSigverEncoder(XrootdTpcClient client)

validateCertificate

protected X509Certificate validateCertificate(InboundAuthenticationResponse inbound)
                                       throws IOException,
                                              GeneralSecurityException,
                                              XrootdException

Throws:

IOException

GeneralSecurityException

XrootdException

validateCiphers

protected String validateCiphers(InboundAuthenticationResponse inbound)
                          throws XrootdException

Throws:

XrootdException

validateDigests

protected String validateDigests(InboundAuthenticationResponse inbound)
                          throws XrootdException

Throws:

XrootdException

handleCertStep

protected OutboundAuthenticationRequest handleCertStep(InboundAuthenticationResponse response,
                                                       io.netty.channel.ChannelHandlerContext ctx,
                                                       XrootdSecurityProtocol.BucketType dhParamBucket,
                                                       boolean signDhParams,
                                                       Optional<String> publicKeyPem,
                                                       Optional<String> userName)
                                                throws XrootdException

The processing of this step differs between versions only in these details: (A) the bucket containing DH params: pre-4.9 = kXRS_puk, 4.9 = kXRS_cipher (B) DH parameters are signed using the private key: pre-4.9 no, 4.9 yes (C) the public key of the client is included in a separate bucket: pre-4.9 no, 4.9 in kXRS_puk (D) a username bucket is included pre-4.9 no, 4.9 yes Otherwise, all the following must be done: - validate cipher and digest - extract and validate the server certificate - verify the rtag challenge sent previously - finalize the dh session from the dh params sent by server - create the main bucket with signed challenge, new challenge and serialized certificate of client - add buckets for cipher, digest, dhParams, and optionally publicKey and username.

Throws:

XrootdException

getClientCredential

protected abstract eu.emi.security.authn.x509.X509Credential getClientCredential()

getClientOpts

protected abstract Optional<Integer> getClientOpts()

loadClientCredential

protected abstract void loadClientCredential()
                                      throws XrootdException

Throws:

XrootdException

usePadded

protected abstract boolean usePadded()