/**
* Create a {@code CSIIOP.CompoundSecMechanisms} which is a sequence of {@code CompoundSecMech}.
* Here we only support one security mechanism.
*
* @param metadata the metadata object that contains the CSIv2 security configuration info.
* @param codec the {@code Codec} used to encode the CSIv2 security component.
* @param sslPort an {@code int} representing the SSL port.
* @param orb a reference to the running {@code ORB}.
* @return the constructed {@code CompoundSecMech} array.
*/
public static CompoundSecMech[] createCompoundSecMechanisms(
IORSecurityConfigMetadata metadata, Codec codec, int sslPort, ORB orb) {
// support just 1 security mechanism for now (and ever).
CompoundSecMech[] csmList = new CompoundSecMech[1];
// a CompoundSecMech contains: target_requires, transport_mech, as_context_mech,
// sas_context_mech.
TaggedComponent transport_mech =
createTransportMech(metadata.getTransportConfig(), codec, sslPort, orb);
// create AS Context.
AS_ContextSec asContext = createAuthenticationServiceContext(metadata);
// create SAS Context.
SAS_ContextSec sasContext = createSecureAttributeServiceContext(metadata);
// create target_requires bit field (AssociationOption) can't read directly the transport_mech
// TaggedComponent.
int target_requires =
createTargetRequires(metadata.getTransportConfig())
| asContext.target_requires
| sasContext.target_requires;
CompoundSecMech csm =
new CompoundSecMech((short) target_requires, transport_mech, asContext, sasContext);
csmList[0] = csm;
return csmList;
}
/**
* Create the Secure Attribute Service (SAS) context included in a {@code CompoundSecMech}
* definition.
*
* @param metadata the metadata object that contains the CSIv2 security configuration info.
* @return the constructed {@code SAS_ContextSec} instance.
*/
public static SAS_ContextSec createSecureAttributeServiceContext(
IORSecurityConfigMetadata metadata) {
SAS_ContextSec context;
// context contains target_supports, target_requires, privilige_authorities,
// supported_naming_mechanisms, supported_identity_types.
int support = 0;
int require = 0;
ServiceConfiguration[] privilAuth = new ServiceConfiguration[0];
byte[][] supNamMechs = {};
int supIdenTypes = 0; // 0 means ITTAbsent
// the the SasContext metadata.
SasContext sasMeta = metadata.getSasContext();
// if no SAS context metadata, or caller propagation is not supported, we return with a more or
// less empty sas context.
if (sasMeta == null || !sasMeta.isCallerPropagationSupported()) {
context =
new SAS_ContextSec(
(short) support, (short) require, privilAuth, supNamMechs, supIdenTypes);
} else {
support = IdentityAssertion.value;
// supporting GSSUP (username/password) naming mechanism.
byte[] upMech = createGSSUPMechOID();
supNamMechs = new byte[1][upMech.length];
System.arraycopy(upMech, 0, supNamMechs[0], 0, upMech.length);
// since we support IdentityAssertion we need to specify supported identity types. CTS says we
// need them all
supIdenTypes =
ITTAnonymous.value
| ITTPrincipalName.value
| ITTX509CertChain.value
| ITTDistinguishedName.value;
context =
new SAS_ContextSec(
(short) support, (short) require, privilAuth, supNamMechs, supIdenTypes);
}
return context;
}
/**
* Create the client Authentication Service (AS) context included in a {@code CompoundSecMech}
* definition.
*
* @param metadata the metadata object that contains the CSIv2 security configuration info.
* @return the constructed {@code AS_ContextSec} instance.
*/
public static AS_ContextSec createAuthenticationServiceContext(
IORSecurityConfigMetadata metadata) {
AS_ContextSec context;
// the content of the context.
int support = 0;
int require = 0;
byte[] clientAuthMech = {};
byte[] targetName = {};
AsContext asMeta = metadata.getAsContext();
// if no AS context metatada exists, or authentication method "none" is specified, we can
// produce an empty AS context.
if (asMeta == null || asMeta.getAuthMethod().equals(AsContext.AUTH_METHOD_NONE)) {
context = new AS_ContextSec((short) support, (short) require, clientAuthMech, targetName);
} else {
// we do support.
support = EstablishTrustInClient.value;
// required depends on the metadata.
if (asMeta.isRequired()) {
require = EstablishTrustInClient.value;
}
// we only support GSSUP authentication method.
clientAuthMech = createGSSUPMechOID();
// finally, encode the "realm" name as a CSI.GSS_NT_ExportedName.
// clientAuthMech should contain the DER encoded GSSUPMechOID at this point.
String realm = asMeta.getRealm();
targetName = createGSSExportedName(clientAuthMech, realm.getBytes());
context = new AS_ContextSec((short) support, (short) require, clientAuthMech, targetName);
}
return context;
}
/**
* Return a top-level {@code IOP::TaggedComponent} to be stuffed into an IOR, containing an
* structure {@code SSLIOP::SSL}, tagged as {@code TAG_SSL_SEC_TRANS}.
*
* <p>Should be called with non-null metadata, in which case we probably don't want to include
* security info in the IOR.
*
* @param metadata the metadata object that contains the SSL configuration info.
* @param codec the {@code Codec} used to encode the SSL component.
* @param sslPort an {@code int} representing the SSL port.
* @param orb a reference to the running {@code ORB}.
* @return a {@code TaggedComponent} representing the encoded SSL component.
*/
public static TaggedComponent createSSLTaggedComponent(
IORSecurityConfigMetadata metadata, Codec codec, int sslPort, ORB orb) {
if (metadata == null) {
log.debugf("createSSLTaggedComponent() called with null metadata");
return null;
}
TaggedComponent tc;
try {
int supports = createTargetSupports(metadata.getTransportConfig());
int requires = createTargetRequires(metadata.getTransportConfig());
SSL ssl = new SSL((short) supports, (short) requires, (short) sslPort);
Any any = orb.create_any();
SSLHelper.insert(any, ssl);
byte[] componentData = codec.encode_value(any);
tc = new TaggedComponent(TAG_SSL_SEC_TRANS.value, componentData);
} catch (InvalidTypeForEncoding e) {
log.warn("Caught unexcepted exception while encoding SSL component", e);
throw new RuntimeException(e);
}
return tc;
}
