Package org.dcache.xrootd.plugins.authn.gsi

Class GSIRequestHandler

  • Direct Known Subclasses:
    GSIClientRequestHandler, GSIServerRequestHandler
    public abstract class GSIRequestHandler
extends java.lang.Object
    Shared settings and functionality for processing both client and server GSI authentication requests.

    • Field Detail

      • LOGGER

        protected static org.slf4j.Logger LOGGER

      • CRYPTO_MODE_NO_PAD

        public static final java.lang.String CRYPTO_MODE_NO_PAD
        See Also:
        Constant Field Values

      • SUPPORTED_CIPHER_ALGORITHM

        public static final java.lang.String SUPPORTED_CIPHER_ALGORITHM
        we limit ourselves to AES-128 with CBC blockmode.
        See Also:
        Constant Field Values

      • SUPPORTED_DIGESTS

        public static final java.lang.String SUPPORTED_DIGESTS
        See Also:
        Constant Field Values

      • ASYNC_CIPHER_MODE

        public static final java.lang.String ASYNC_CIPHER_MODE
        RSA algorithm, no block chaining mode (not a block-cipher) and PKCS1 padding, which is recommended to be used in conjunction with RSA
        See Also:
        Constant Field Values

      • SYNC_CIPHER_MODE_PADDED

        public static final java.lang.String SYNC_CIPHER_MODE_PADDED
        Sync cipher mode supported by the server. It currently must match the SUPPORTED_CIPHER_ALGORITHM advertised by the server
        See Also:
        Constant Field Values

      • SYNC_CIPHER_MODE_UNPADDED

        public static final java.lang.String SYNC_CIPHER_MODE_UNPADDED
        See Also:
        Constant Field Values

      • SYNC_CIPHER_NAME

        public static final java.lang.String SYNC_CIPHER_NAME
        See Also:
        Constant Field Values

      • PUBLIC_KEY_ALGORITHM

        public static final java.lang.String PUBLIC_KEY_ALGORITHM
        For use in encoding/decoding X509 public keys.
        See Also:
        Constant Field Values

      • PUBLIC_KEY_HEADER

        public static final java.lang.String PUBLIC_KEY_HEADER
        See Also:
        Constant Field Values

      • PUBLIC_KEY_FOOTER

        public static final java.lang.String PUBLIC_KEY_FOOTER
        See Also:
        Constant Field Values

      • SYNC_CIPHER_BLOCKSIZE

        public static final int SYNC_CIPHER_BLOCKSIZE
        Blocksize in bytes
        See Also:
        Constant Field Values

      • MAX_TIME_SKEW

        public static final long MAX_TIME_SKEW
        Maximum request time skew. Request is considered invalid if it exceeds this window.

      • SESSION_IV_DELIM

        public static final java.lang.String SESSION_IV_DELIM
        Random session IV.
        See Also:
        Constant Field Values

      • VERSION_KEY

        public static final java.lang.String VERSION_KEY
        Sec response keys
        See Also:
        Constant Field Values

      • RANDOM

        protected static final java.security.SecureRandom RANDOM

      • challenge

        protected java.lang.String challenge

      • lastRequest

        protected long lastRequest

      • noPadding

        protected boolean noPadding

    • Constructor Detail

    • Method Detail

      • generateChallengeString

        public static java.lang.String generateChallengeString()
        Generate a new challenge string to be used in server-client communication
        Returns:
        challenge string

      • getProtocolVersion

        public abstract int getProtocolVersion()

      • getSyncCipherMode

        protected abstract java.lang.String getSyncCipherMode()

      • decryptMainBucketWithSessionKey

        protected NestedBucketBuffer decryptMainBucketWithSessionKey​(java.util.Map<XrootdSecurityProtocol.BucketType,​GSIBucket> receivedBuckets,
                                                             java.lang.String step)
                                                      throws javax.crypto.NoSuchPaddingException,
                                                             java.security.InvalidAlgorithmParameterException,
                                                             java.security.NoSuchAlgorithmException,
                                                             javax.crypto.IllegalBlockSizeException,
                                                             javax.crypto.BadPaddingException,
                                                             java.security.NoSuchProviderException,
                                                             java.security.InvalidKeyException,
                                                             java.io.IOException,
                                                             XrootdException
        Assumes the dhSession has been finalized.
        Parameters:
        receivedBuckets - from the request
        Returns:
        the main bucket as a nested bucket buffer
        Throws:
        javax.crypto.NoSuchPaddingException
        java.security.InvalidAlgorithmParameterException
        java.security.NoSuchAlgorithmException
        javax.crypto.IllegalBlockSizeException
        javax.crypto.BadPaddingException
        java.security.NoSuchProviderException
        java.security.InvalidKeyException
        java.io.IOException
        XrootdException

      • dhParams

        protected byte[] dhParams​(boolean sign)
                   throws java.io.IOException,
                          javax.crypto.BadPaddingException,
                          javax.crypto.IllegalBlockSizeException
        Parameters:
        sign - if true, use the rsaCipher (assumed to be initialized with local private key) to sign the params.
        Returns:
        encoded DH parameters, either signed or unsigned.
        Throws:
        java.io.IOException
        javax.crypto.BadPaddingException
        javax.crypto.IllegalBlockSizeException

      • extractChain

        protected java.security.cert.X509Certificate[] extractChain​(java.util.Map<XrootdSecurityProtocol.BucketType,​GSIBucket> nestedBuckets)
                                                     throws XrootdException,
                                                            java.io.IOException
        Pull out the string content of the kXRS_x509 bucket and convert it into a cert chain.
        Parameters:
        nestedBuckets - containing the x509 bucket.
        Returns:
        the cert chain
        Throws:
        XrootdException
        java.io.IOException

      • finalizeSessionKey

        protected void finalizeSessionKey​(java.util.Map<XrootdSecurityProtocol.BucketType,​GSIBucket> receivedBuckets,
                                  XrootdSecurityProtocol.BucketType bucketType)
                           throws java.io.IOException,
                                  java.security.GeneralSecurityException,
                                  XrootdException
        For the pre-4.9 protocol, the DH client params are sent in the clear (unsigned) in the kXRS_puk bucket. For 4.9+, the params are sent in the kXRS_cipher bucket, and are signed with the client's private key, so they must be decrypted. This method assumes that the rsaCipher has already been initialized for decryption using the public key sent by the client in the kXRS_puk bucket.
        Parameters:
        receivedBuckets -
        bucketType - kXRS_cipher or kXRS_puk.
        Throws:
        java.io.IOException
        java.security.GeneralSecurityException
        XrootdException

      • isRequestExpired

        protected boolean isRequestExpired()

      • postProcessMainBucket

        protected GSIBucket postProcessMainBucket​(java.util.Map<XrootdSecurityProtocol.BucketType,​GSIBucket> buckets,
                                          java.util.Optional<java.lang.String> serializedX509,
                                          int step)
                                   throws javax.crypto.BadPaddingException,
                                          javax.crypto.IllegalBlockSizeException,
                                          java.security.NoSuchProviderException,
                                          javax.crypto.NoSuchPaddingException,
                                          java.security.NoSuchAlgorithmException,
                                          java.security.InvalidKeyException,
                                          java.security.InvalidAlgorithmParameterException,
                                          XrootdException,
                                          java.io.IOException
        Generate a new challenge string. Sign the sender's challenge string (assumes rsaCipher has been initialized for encryption). If the response including this bucket follows session key finalization, the bucket needs to be encrypted. This is indicated by the switch logic on the step parameter.
        Returns:
        main bucket either encrypted or not, depending on step
        Throws:
        javax.crypto.BadPaddingException
        javax.crypto.IllegalBlockSizeException
        java.security.NoSuchProviderException
        javax.crypto.NoSuchPaddingException
        java.security.NoSuchAlgorithmException
        java.security.InvalidKeyException
        java.security.InvalidAlgorithmParameterException
        XrootdException
        java.io.IOException

      • processRSAVerification

        protected java.security.cert.X509Certificate[] processRSAVerification​(java.util.Map<XrootdSecurityProtocol.BucketType,​GSIBucket> nestedBuckets,
                                                                      java.util.Optional<java.security.PublicKey> toMatch)
                                                               throws java.security.InvalidKeyException,
                                                                      java.io.IOException,
                                                                      XrootdException
        Parameters:
        nestedBuckets - containing the x509 certificate bucket
        toMatch - if a sender public key has already been extracted.
        Returns:
        the extracted and verified certificate chain
        Throws:
        java.security.InvalidKeyException
        java.io.IOException
        XrootdException

      • updateLastRequest

        protected void updateLastRequest()

      • verifySignedRTag

        protected void verifySignedRTag​(java.util.Map<XrootdSecurityProtocol.BucketType,​GSIBucket> nestedBuckets)
                         throws XrootdException,
                                javax.crypto.BadPaddingException,
                                javax.crypto.IllegalBlockSizeException,
                                java.io.IOException
        From the main bucket extract the challenge tag signed by the sender. Decrypt this using the rsaCipher (assumes it has been intialized using the received public key). Check that it matches the token previously generated.
        Throws:
        XrootdException
        javax.crypto.BadPaddingException
        javax.crypto.IllegalBlockSizeException
        java.io.IOException