org.dcache.xrootd.plugins.authn.gsi

Class GSICredentialManager

java.lang.Object

org.dcache.xrootd.plugins.authn.gsi.GSICredentialManager

public class GSICredentialManager
extends Object

The component which provides credential management and related support to the request handlers. Wraps loading and refreshing done by the credential loader, and validation of the cert chain.

Also supports calls to delegation client in support of direct proxy delegation.

Constructor Summary

Constructors

Constructor and Description
GSICredentialManager(Properties properties, CredentialLoader credentialLoader, eu.emi.security.authn.x509.X509CertChainValidator certChainValidator)

Method Summary

Modifier and Type	Method and Description
void	cancelOutstandingProxyRequest()
void	checkCaIdentities(String[] caIdentities)
static void	checkIdentity(X509Certificate certificate, String name)
X509Certificate	createCertificate(byte[] bytes)
SerializableX509Credential	finalizeDelegatedProxy(X509Certificate[] certChain) Attempts to store the new proxy.
eu.emi.security.authn.x509.X509CertChainValidator	getCertChainValidator()
eu.emi.security.authn.x509.impl.PEMCredential	getHostCredential()
String	getIssuerHashes()
eu.emi.security.authn.x509.X509Credential	getProxy()
PublicKey	getSenderPublicKey()
X509Certificate[]	getSignedProxyRequest(byte[] serverCSR) Client-side method.
String	prepareSerializedProxyRequest(X509Certificate[] certChain) Server-side method.
void	setIssuerHashesFromCredential(eu.emi.security.authn.x509.X509Credential credential)
void	setProxyDelegationClient(ProxyDelegationClient proxyDelegationClient)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

GSICredentialManager

public GSICredentialManager(Properties properties,
                            CredentialLoader credentialLoader,
                            eu.emi.security.authn.x509.X509CertChainValidator certChainValidator)

Method Detail

checkIdentity

public static void checkIdentity(X509Certificate certificate,
                                 String name)
                          throws GeneralSecurityException,
                                 UnknownHostException

Throws:

GeneralSecurityException

UnknownHostException

createCertificate

public X509Certificate createCertificate(byte[] bytes)
                                  throws CertificateException

Throws:

CertificateException

cancelOutstandingProxyRequest

public void cancelOutstandingProxyRequest()

checkCaIdentities

public void checkCaIdentities(String[] caIdentities)
                       throws XrootdException

Throws:

XrootdException

finalizeDelegatedProxy

public SerializableX509Credential finalizeDelegatedProxy(X509Certificate[] certChain)
                                                  throws XrootdException

Attempts to store the new proxy.

Parameters:

certChain - signed by client.

Throws:

XrootdException

getCertChainValidator

public eu.emi.security.authn.x509.X509CertChainValidator getCertChainValidator()

getHostCredential

public eu.emi.security.authn.x509.impl.PEMCredential getHostCredential()

getIssuerHashes

public String getIssuerHashes()

getProxy

public eu.emi.security.authn.x509.X509Credential getProxy()

getSenderPublicKey

public PublicKey getSenderPublicKey()

prepareSerializedProxyRequest

public String prepareSerializedProxyRequest(X509Certificate[] certChain)
                                     throws XrootdException

Server-side method. Create a proxy request (CSR) from the client's certificate chain. Also stores the cert chain and proxy request for future processing/finalization.

Parameters:

certChain - from authenticating client.

Returns:

String representing the CSR (for inclusion in message to client).

Throws:

XrootdException

getSignedProxyRequest

public X509Certificate[] getSignedProxyRequest(byte[] serverCSR)
                                        throws IOException,
                                               NoSuchAlgorithmException,
                                               SignatureException,
                                               InvalidKeyException,
                                               CertificateParsingException,
                                               NoSuchProviderException

Client-side method. Takes the CSR request from the server, and adds the new signed certificate based on it to the top/front of the certificate chain. NOTA BENE: This method is here only for completeness. Hopefully, the SLAC server will be smart enough to know not to request a delegated proxy from the TPC client. When talking to a dCache door, this should always be the case, as the destination server will have already authenticated the user client and checked for/requested a proxy then, which hopefully would be found in cache on the TPC client call.

Parameters:

serverCSR -

Returns:

full cert chain with chain[0] equal to the new signed cert.

Throws:

IOException

NoSuchAlgorithmException

SignatureException

InvalidKeyException

CertificateParsingException

NoSuchProviderException

setProxyDelegationClient

public void setProxyDelegationClient(ProxyDelegationClient proxyDelegationClient)

setIssuerHashesFromCredential

public void setIssuerHashesFromCredential(eu.emi.security.authn.x509.X509Credential credential)