Package org.dcache.xrootd.plugins.authn.gsi.post49

Class GSIPost49ServerRequestHandler

java.lang.Object

org.dcache.xrootd.plugins.authn.gsi.GSIRequestHandler

org.dcache.xrootd.plugins.authn.gsi.GSIServerRequestHandler

org.dcache.xrootd.plugins.authn.gsi.post49.GSIPost49ServerRequestHandler

public class GSIPost49ServerRequestHandler
extends GSIServerRequestHandler

Implementation of server side of GSI handshake according to XrootD 4.9+. Supports proxy delegation.

Nested Class Summary

Nested classes/interfaces inherited from class org.dcache.xrootd.plugins.authn.gsi.GSIServerRequestHandler

GSIServerRequestHandler.CertRequestBuckets

Field Summary

Fields inherited from class org.dcache.xrootd.plugins.authn.gsi.GSIServerRequestHandler

LOGGER, subject

Fields inherited from class org.dcache.xrootd.plugins.authn.gsi.GSIRequestHandler

ASYNC_CIPHER_MODE, bufferHandler, CERT_AUTH_KEY, challenge, CHALLENGE_BYTES, credentialManager, CRYPTO_MODE, CRYPTO_MODE_NO_PAD, dhSession, ENCRYPTION_KEY, lastRequest, MAX_TIME_SKEW, noPadding, PROTO_PRE_DELEGATION, PROTO_WITH_DELEGATION, PROTOCOL, PROTOCOL_VERSION, PUBLIC_KEY_ALGORITHM, PUBLIC_KEY_FOOTER, PUBLIC_KEY_HEADER, RANDOM, rsaSession, SESSION_IV_DELIM, SESSION_IV_LEN, SUPPORTED_CIPHER_ALGORITHM, SUPPORTED_DIGESTS, SYNC_CIPHER_BLOCKSIZE, SYNC_CIPHER_MODE_PADDED, SYNC_CIPHER_MODE_UNPADDED, SYNC_CIPHER_NAME, VERSION_KEY

Constructor Summary

Constructors

Constructor	Description
GSIPost49ServerRequestHandler(javax.security.auth.Subject subject, GSICredentialManager credentialManager)

Method Summary

Modifier and Type	Method	Description
int	getProtocolVersion()
protected java.lang.String	getSyncCipherMode()
XrootdResponse<AuthenticationRequest>	handleCertReqStep(AuthenticationRequest request, GSIBucketUtils.BucketData data)
XrootdResponse<AuthenticationRequest>	handleCertStep(AuthenticationRequest request, GSIBucketUtils.BucketData data)	Handle the second step (reply by client to authmore).
XrootdResponse<AuthenticationRequest>	handleSigPxyStep(AuthenticationRequest request, GSIBucketUtils.BucketData data)	Decrypt main bucket, check signed rtag, and then use included signed certificate to finalize proxy (and send to the credential store).
boolean	isFinished(GSIBucketUtils.BucketData data)

Methods inherited from class org.dcache.xrootd.plugins.authn.gsi.GSIServerRequestHandler

cancelHandshake, getDecrypter, handleCertReqStep, validateCiphers, validateDigests

Methods inherited from class org.dcache.xrootd.plugins.authn.gsi.GSIRequestHandler

decryptMainBucketWithSessionKey, dhParams, extractChain, finalizeSessionKey, findSessionIVLen, generateChallengeString, isRequestExpired, postProcessMainBucket, processRSAVerification, updateLastRequest, validateCiphers, validateCryptoMode, validateDigests, verifySignedRTag

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

GSIPost49ServerRequestHandler

public GSIPost49ServerRequestHandler(javax.security.auth.Subject subject,
                                     GSICredentialManager credentialManager)
                              throws XrootdException

Throws:

XrootdException

Method Detail

getProtocolVersion

public int getProtocolVersion()

Specified by:

getProtocolVersion in class GSIRequestHandler

handleCertReqStep

public XrootdResponse<AuthenticationRequest> handleCertReqStep(AuthenticationRequest request,
                                                               GSIBucketUtils.BucketData data)
                                                        throws XrootdException

Specified by:

handleCertReqStep in class GSIServerRequestHandler

Throws:

XrootdException

handleCertStep

public XrootdResponse<AuthenticationRequest> handleCertStep(AuthenticationRequest request,
                                                            GSIBucketUtils.BucketData data)
                                                     throws XrootdException

Handle the second step (reply by client to authmore). This involves finalizing the session key, verifying rsa certificate and decrypting and verifying the signed hash. A check is then made for the existence of a proxy. If there is none, a request is generated.

Specified by:

handleCertStep in class GSIServerRequestHandler

Parameters:

request - AuthenticationRequest received by the client

Returns:

either an AuthenticationResponse with step kXGS_pxyreq if there is no currently valid proxy, or and OK response.

Throws:

XrootdException

handleSigPxyStep

public XrootdResponse<AuthenticationRequest> handleSigPxyStep(AuthenticationRequest request,
                                                              GSIBucketUtils.BucketData data)
                                                       throws XrootdException

Decrypt main bucket, check signed rtag, and then use included signed certificate to finalize proxy (and send to the credential store).

Specified by:

handleSigPxyStep in class GSIServerRequestHandler

Returns:

OKResponse if all is well.

Throws:

XrootdException

isFinished

public boolean isFinished(GSIBucketUtils.BucketData data)

Specified by:

isFinished in class GSIServerRequestHandler

getSyncCipherMode

protected java.lang.String getSyncCipherMode()

Specified by:

getSyncCipherMode in class GSIRequestHandler