Package org.dcache.xrootd.plugins.authn.gsi

Class GSICredentialManager

  • public class GSICredentialManager
extends java.lang.Object
    The component which provides credential management and related support to the request handlers. Wraps loading and refreshing done by the credential loader, and validation of the cert chain.

    Also supports calls to delegation client in support of direct proxy delegation.

    • Constructor Detail

      • GSICredentialManager

        public GSICredentialManager​(java.util.Properties properties,
                            CredentialLoader credentialLoader,
                            eu.emi.security.authn.x509.X509CertChainValidator certChainValidator)

    • Method Detail

      • checkIdentity

        public static void checkIdentity​(java.security.cert.X509Certificate certificate,
                                 java.lang.String name)
                          throws java.security.GeneralSecurityException,
                                 java.net.UnknownHostException
        Throws:
        java.security.GeneralSecurityException
        java.net.UnknownHostException

      • createCertificate

        public java.security.cert.X509Certificate createCertificate​(byte[] bytes)
                                                     throws java.security.cert.CertificateException
        Throws:
        java.security.cert.CertificateException

      • cancelOutstandingProxyRequest

        public void cancelOutstandingProxyRequest()

      • getCertChainValidator

        public eu.emi.security.authn.x509.X509CertChainValidator getCertChainValidator()

      • getHostCredential

        public eu.emi.security.authn.x509.impl.PEMCredential getHostCredential()

      • getIssuerHashes

        public java.lang.String getIssuerHashes()

      • getProxy

        public eu.emi.security.authn.x509.X509Credential getProxy()

      • getSenderPublicKey

        public java.security.PublicKey getSenderPublicKey()

      • isDelegationOnly

        public boolean isDelegationOnly()

      • prepareSerializedProxyRequest

        public java.lang.String prepareSerializedProxyRequest​(java.security.cert.X509Certificate[] certChain)
                                               throws XrootdException
        Server-side method. Create a proxy request (CSR) from the client's certificate chain. Also stores the cert chain and proxy request for future processing/finalization.
        Parameters:
        certChain - from authenticating client.
        Returns:
        String representing the CSR (for inclusion in message to client).
        Throws:
        XrootdException

      • getSignedProxyRequest

        public java.security.cert.X509Certificate[] getSignedProxyRequest​(byte[] serverCSR)
                                                           throws java.io.IOException,
                                                                  java.security.NoSuchAlgorithmException,
                                                                  java.security.SignatureException,
                                                                  java.security.InvalidKeyException,
                                                                  java.security.cert.CertificateParsingException,
                                                                  java.security.NoSuchProviderException
        Client-side method. Takes the CSR request from the server, and adds the new signed certificate based on it to the top/front of the certificate chain. NOTA BENE: This method is here only for completeness. Hopefully, the SLAC server will be smart enough to know not to request a delegated proxy from the TPC client. When talking to a dCache door, this should always be the case, as the destination server will have already authenticated the user client and checked for/requested a proxy then, which hopefully would be found in cache on the TPC client call.
        Parameters:
        serverCSR -
        Returns:
        full cert chain with chain[0] equal to the new signed cert.
        Throws:
        java.io.IOException
        java.security.NoSuchAlgorithmException
        java.security.SignatureException
        java.security.InvalidKeyException
        java.security.cert.CertificateParsingException
        java.security.NoSuchProviderException

      • setProxyDelegationClient

        public void setProxyDelegationClient​(ProxyDelegationClient proxyDelegationClient)

      • setIssuerHashesFromCredential

        public void setIssuerHashesFromCredential​(eu.emi.security.authn.x509.X509Credential credential)