GSIRequestHandler (xrootd4j GSI authentication plugin 3.5.6 API)

java.lang.Object
- org.dcache.xrootd.plugins.authn.gsi.GSIRequestHandler

Direct Known Subclasses:

GSIClientRequestHandler, GSIServerRequestHandler
```
public abstract class GSIRequestHandler
extends Object
```
Shared settings and functionality for processing both client and server GSI authentication requests.

Field Summary

Fields
Modifier and Type	Field and Description
`static String`	`ASYNC_CIPHER_MODE` RSA algorithm, no block chaining mode (not a block-cipher) and PKCS1 padding, which is recommended to be used in conjunction with RSA
`protected DHBufferHandler`	`bufferHandler`
`protected String`	`challenge`
`static int`	`CHALLENGE_BYTES`
`protected GSICredentialManager`	`credentialManager`
`static String`	`CRYPTO_MODE`
`static String`	`CRYPTO_MODE_NO_PAD`
`protected DHSession`	`dhSession`
`protected long`	`lastRequest`
`protected static org.slf4j.Logger`	`LOGGER`
`static long`	`MAX_TIME_SKEW` Maximum request time skew.
`protected boolean`	`noPadding`
`static int`	`PROTO_PRE_DELEGATION`
`static int`	`PROTO_WITH_DELEGATION`
`static String`	`PROTOCOL`
`static int`	`PROTOCOL_VERSION`
`static String`	`PUBLIC_KEY_ALGORITHM` For use in encoding/decoding X509 public keys.
`static String`	`PUBLIC_KEY_FOOTER`
`static String`	`PUBLIC_KEY_HEADER`
`protected static SecureRandom`	`RANDOM`
`protected RSASession`	`rsaSession`
`static String`	`SESSION_IV_DELIM` Random session IV.
`static int`	`SESSION_IV_LEN`
`static String`	`SUPPORTED_CIPHER_ALGORITHM` we limit ourselves to AES-128 with CBC blockmode.
`static String`	`SUPPORTED_DIGESTS`
`static int`	`SYNC_CIPHER_BLOCKSIZE` Blocksize in bytes
`static String`	`SYNC_CIPHER_MODE_PADDED` Sync cipher mode supported by the server.
`static String`	`SYNC_CIPHER_MODE_UNPADDED`
`static String`	`SYNC_CIPHER_NAME`

Constructor Summary

Constructors
Modifier Constructor and Description

protected GSIRequestHandler(GSICredentialManager credentialManager)

Constructors
Modifier	Constructor and Description
`protected`	`GSIRequestHandler(GSICredentialManager credentialManager)`

Method Summary

All Methods Static Methods Instance Methods Abstract Methods Concrete Methods
Modifier and Type	Method and Description
`protected NestedBucketBuffer`	`decryptMainBucketWithSessionKey(Map<XrootdSecurityProtocol.BucketType,XrootdBucket> receivedBuckets, String step)` Assumes the dhSession has been finalized.
`protected byte[]`	`dhParams(boolean sign)`
`protected X509Certificate[]`	`extractChain(Map<XrootdSecurityProtocol.BucketType,XrootdBucket> nestedBuckets)` Pull out the string content of the kXRS_x509 bucket and convert it into a cert chain.
`protected void`	`finalizeSessionKey(Map<XrootdSecurityProtocol.BucketType,XrootdBucket> receivedBuckets, XrootdSecurityProtocol.BucketType bucketType)` For the pre-4.9 protocol, the DH client params are sent in the clear (unsigned) in the kXRS_puk bucket.
`protected static int`	`findSessionIVLen(String cipher)`
`static String`	`generateChallengeString()` Generate a new challenge string to be used in server-client communication
`abstract int`	`getProtocolVersion()`
`protected abstract String`	`getSyncCipherMode()`
`protected boolean`	`isRequestExpired()`
`protected XrootdBucket`	`postProcessMainBucket(Map<XrootdSecurityProtocol.BucketType,XrootdBucket> buckets, Optional<String> serializedX509, int step)` Generate a new challenge string.
`protected X509Certificate[]`	`processRSAVerification(Map<XrootdSecurityProtocol.BucketType,XrootdBucket> nestedBuckets, Optional<PublicKey> toMatch)`
`protected void`	`updateLastRequest()`
`protected String`	`validateCiphers(String[] algorithms)`
`protected void`	`validateCryptoMode(String cryptoMode)`
`protected String`	`validateDigests(String[] digests)`
`protected void`	`verifySignedRTag(Map<XrootdSecurityProtocol.BucketType,XrootdBucket> nestedBuckets)` From the main bucket extract the challenge tag signed by the sender.

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail
- LOGGER
```
protected static org.slf4j.Logger LOGGER
```
- PROTOCOL
```
public static final String PROTOCOL
```
  See Also:
  
  Constant Field Values
- PROTO_WITH_DELEGATION
```
public static final int PROTO_WITH_DELEGATION
```
  See Also:
  
  Constant Field Values
- PROTO_PRE_DELEGATION
```
public static final int PROTO_PRE_DELEGATION
```
  See Also:
  
  Constant Field Values
- PROTOCOL_VERSION
```
public static final int PROTOCOL_VERSION
```
  See Also:
  
  Constant Field Values
- CRYPTO_MODE
```
public static final String CRYPTO_MODE
```
  See Also:
  
  Constant Field Values
- CRYPTO_MODE_NO_PAD
```
public static final String CRYPTO_MODE_NO_PAD
```
  See Also:
  
  Constant Field Values
- SUPPORTED_CIPHER_ALGORITHM
```
public static final String SUPPORTED_CIPHER_ALGORITHM
```
  we limit ourselves to AES-128 with CBC blockmode.
  
  See Also:
  
  Constant Field Values
- SUPPORTED_DIGESTS
```
public static final String SUPPORTED_DIGESTS
```
  See Also:
  
  Constant Field Values
- ASYNC_CIPHER_MODE
```
public static final String ASYNC_CIPHER_MODE
```
  RSA algorithm, no block chaining mode (not a block-cipher) and PKCS1 padding, which is recommended to be used in conjunction with RSA
  
  See Also:
  
  Constant Field Values
- SYNC_CIPHER_MODE_PADDED
```
public static final String SYNC_CIPHER_MODE_PADDED
```
  Sync cipher mode supported by the server. It currently must match the SUPPORTED_CIPHER_ALGORITHM advertised by the server
  
  See Also:
  
  Constant Field Values
- SYNC_CIPHER_MODE_UNPADDED
```
public static final String SYNC_CIPHER_MODE_UNPADDED
```
  See Also:
  
  Constant Field Values
- SYNC_CIPHER_NAME
```
public static final String SYNC_CIPHER_NAME
```
  See Also:
  
  Constant Field Values
- PUBLIC_KEY_ALGORITHM
```
public static final String PUBLIC_KEY_ALGORITHM
```
  For use in encoding/decoding X509 public keys.
  
  See Also:
  
  Constant Field Values
- PUBLIC_KEY_HEADER
```
public static final String PUBLIC_KEY_HEADER
```
  See Also:
  
  Constant Field Values
- PUBLIC_KEY_FOOTER
```
public static final String PUBLIC_KEY_FOOTER
```
  See Also:
  
  Constant Field Values
- SYNC_CIPHER_BLOCKSIZE
```
public static final int SYNC_CIPHER_BLOCKSIZE
```
  Blocksize in bytes
  
  See Also:
  
  Constant Field Values
- CHALLENGE_BYTES
```
public static final int CHALLENGE_BYTES
```
  See Also:
  
  Constant Field Values
- MAX_TIME_SKEW
```
public static final long MAX_TIME_SKEW
```
  Maximum request time skew. Request is considered invalid if it exceeds this window.
- SESSION_IV_DELIM
```
public static final String SESSION_IV_DELIM
```
  Random session IV.
  
  See Also:
  
  Constant Field Values
- SESSION_IV_LEN
```
public static final int SESSION_IV_LEN
```
  See Also:
  
  Constant Field Values
- RANDOM
```
protected static final SecureRandom RANDOM
```
- credentialManager
```
protected final GSICredentialManager credentialManager
```
- dhSession
```
protected DHSession dhSession
```
- rsaSession
```
protected RSASession rsaSession
```
- bufferHandler
```
protected DHBufferHandler bufferHandler
```
- challenge
```
protected String challenge
```
- lastRequest
```
protected long lastRequest
```
- noPadding
```
protected boolean noPadding
```

Constructor Detail

GSIRequestHandler

protected GSIRequestHandler(GSICredentialManager credentialManager)

Method Detail

findSessionIVLen

protected static int findSessionIVLen(String cipher)
                               throws XrootdException

Throws:: XrootdException

generateChallengeString
```
public static String generateChallengeString()
```
Generate a new challenge string to be used in server-client communication

Returns:

challenge string

getProtocolVersion

public abstract int getProtocolVersion()

getSyncCipherMode

protected abstract String getSyncCipherMode()

decryptMainBucketWithSessionKey

protected NestedBucketBuffer decryptMainBucketWithSessionKey(Map<XrootdSecurityProtocol.BucketType,XrootdBucket> receivedBuckets,
                                                             String step)
                                                      throws NoSuchPaddingException,
                                                             InvalidAlgorithmParameterException,
                                                             NoSuchAlgorithmException,
                                                             IllegalBlockSizeException,
                                                             BadPaddingException,
                                                             NoSuchProviderException,
                                                             InvalidKeyException,
                                                             IOException,
                                                             XrootdException

Assumes the dhSession has been finalized.

Parameters:: receivedBuckets - from the request
Returns:: the main bucket as a nested bucket buffer
Throws:: NoSuchPaddingException; InvalidAlgorithmParameterException; NoSuchAlgorithmException; IllegalBlockSizeException; BadPaddingException; NoSuchProviderException; InvalidKeyException; IOException; XrootdException

dhParams
```
protected byte[] dhParams(boolean sign)
                   throws IOException,
                          BadPaddingException,
                          IllegalBlockSizeException
```
Parameters:

sign - if true, use the rsaCipher (assumed to be initialized with local private key) to sign the params.

Returns:

encoded DH parameters, either signed or unsigned.

Throws:

IOException

BadPaddingException

IllegalBlockSizeException

extractChain

protected X509Certificate[] extractChain(Map<XrootdSecurityProtocol.BucketType,XrootdBucket> nestedBuckets)
                                  throws XrootdException,
                                         IOException

Pull out the string content of the kXRS_x509 bucket and convert it into a cert chain.

Parameters:: nestedBuckets - containing the x509 bucket.
Returns:: the cert chain
Throws:: XrootdException; IOException

finalizeSessionKey
```
protected void finalizeSessionKey(Map<XrootdSecurityProtocol.BucketType,XrootdBucket> receivedBuckets,
                                  XrootdSecurityProtocol.BucketType bucketType)
                           throws IOException,
                                  GeneralSecurityException,
                                  XrootdException
```
For the pre-4.9 protocol, the DH client params are sent in the clear (unsigned) in the kXRS_puk bucket. For 4.9+, the params are sent in the kXRS_cipher bucket, and are signed with the client's private key, so they must be decrypted. This method assumes that the rsaCipher has already been initialized for decryption using the public key sent by the client in the kXRS_puk bucket.

Parameters:

receivedBuckets -

bucketType - kXRS_cipher or kXRS_puk.

Throws:

IOException

GeneralSecurityException

XrootdException

isRequestExpired
```
protected boolean isRequestExpired()
```

postProcessMainBucket

protected XrootdBucket postProcessMainBucket(Map<XrootdSecurityProtocol.BucketType,XrootdBucket> buckets,
                                             Optional<String> serializedX509,
                                             int step)
                                      throws BadPaddingException,
                                             IllegalBlockSizeException,
                                             NoSuchProviderException,
                                             NoSuchPaddingException,
                                             NoSuchAlgorithmException,
                                             InvalidKeyException,
                                             InvalidAlgorithmParameterException,
                                             XrootdException,
                                             IOException

Generate a new challenge string. Sign the sender's challenge string (assumes rsaCipher has been initialized for encryption). If the response including this bucket follows session key finalization, the bucket needs to be encrypted. This is indicated by the switch logic on the step parameter.

Returns:: main bucket either encrypted or not, depending on step
Throws:: BadPaddingException; IllegalBlockSizeException; NoSuchProviderException; NoSuchPaddingException; NoSuchAlgorithmException; InvalidKeyException; InvalidAlgorithmParameterException; XrootdException; IOException

processRSAVerification

protected X509Certificate[] processRSAVerification(Map<XrootdSecurityProtocol.BucketType,XrootdBucket> nestedBuckets,
                                                   Optional<PublicKey> toMatch)
                                            throws InvalidKeyException,
                                                   IOException,
                                                   XrootdException

Parameters:: nestedBuckets - containing the x509 certificate bucket; toMatch - if a sender public key has already been extracted.
Returns:: the extracted and verified certificate chain
Throws:: InvalidKeyException; IOException; XrootdException

updateLastRequest
```
protected void updateLastRequest()
```

validateCiphers

protected String validateCiphers(String[] algorithms)
                          throws XrootdException

Throws:: XrootdException

validateCryptoMode

protected void validateCryptoMode(String cryptoMode)
                           throws XrootdException

Throws:: XrootdException

validateDigests

protected String validateDigests(String[] digests)
                          throws XrootdException

Throws:: XrootdException

verifySignedRTag

protected void verifySignedRTag(Map<XrootdSecurityProtocol.BucketType,XrootdBucket> nestedBuckets)
                         throws XrootdException,
                                BadPaddingException,
                                IllegalBlockSizeException,
                                IOException

From the main bucket extract the challenge tag signed by the sender. Decrypt this using the rsaCipher (assumes it has been intialized using the received public key). Check that it matches the token previously generated.

Throws:: XrootdException; BadPaddingException; IllegalBlockSizeException; IOException

Class GSIRequestHandler

Field Summary

Constructor Summary

Method Summary

Methods inherited from class java.lang.Object

Field Detail

LOGGER

PROTOCOL

PROTO_WITH_DELEGATION

PROTO_PRE_DELEGATION

PROTOCOL_VERSION

CRYPTO_MODE

CRYPTO_MODE_NO_PAD

SUPPORTED_CIPHER_ALGORITHM

SUPPORTED_DIGESTS

ASYNC_CIPHER_MODE

SYNC_CIPHER_MODE_PADDED

SYNC_CIPHER_MODE_UNPADDED

SYNC_CIPHER_NAME

PUBLIC_KEY_ALGORITHM

PUBLIC_KEY_HEADER

PUBLIC_KEY_FOOTER

SYNC_CIPHER_BLOCKSIZE

CHALLENGE_BYTES

MAX_TIME_SKEW

SESSION_IV_DELIM

SESSION_IV_LEN

RANDOM

credentialManager

dhSession

rsaSession

bufferHandler

challenge

lastRequest

noPadding