Esempio n. 1
0
  /**
   * Create a {@code CSIIOP.CompoundSecMechanisms} which is a sequence of {@code CompoundSecMech}.
   * Here we only support one security mechanism.
   *
   * @param metadata the metadata object that contains the CSIv2 security configuration info.
   * @param codec the {@code Codec} used to encode the CSIv2 security component.
   * @param sslPort an {@code int} representing the SSL port.
   * @param orb a reference to the running {@code ORB}.
   * @return the constructed {@code CompoundSecMech} array.
   */
  public static CompoundSecMech[] createCompoundSecMechanisms(
      IORSecurityConfigMetadata metadata, Codec codec, int sslPort, ORB orb) {
    // support just 1 security mechanism for now (and ever).
    CompoundSecMech[] csmList = new CompoundSecMech[1];

    // a CompoundSecMech contains: target_requires, transport_mech, as_context_mech,
    // sas_context_mech.
    TaggedComponent transport_mech =
        createTransportMech(metadata.getTransportConfig(), codec, sslPort, orb);

    // create AS Context.
    AS_ContextSec asContext = createAuthenticationServiceContext(metadata);

    // create SAS Context.
    SAS_ContextSec sasContext = createSecureAttributeServiceContext(metadata);

    // create target_requires bit field (AssociationOption) can't read directly the transport_mech
    // TaggedComponent.
    int target_requires =
        createTargetRequires(metadata.getTransportConfig())
            | asContext.target_requires
            | sasContext.target_requires;

    CompoundSecMech csm =
        new CompoundSecMech((short) target_requires, transport_mech, asContext, sasContext);
    csmList[0] = csm;

    return csmList;
  }
Esempio n. 2
0
  /**
   * Create the Secure Attribute Service (SAS) context included in a {@code CompoundSecMech}
   * definition.
   *
   * @param metadata the metadata object that contains the CSIv2 security configuration info.
   * @return the constructed {@code SAS_ContextSec} instance.
   */
  public static SAS_ContextSec createSecureAttributeServiceContext(
      IORSecurityConfigMetadata metadata) {
    SAS_ContextSec context;

    // context contains target_supports, target_requires, privilige_authorities,
    // supported_naming_mechanisms, supported_identity_types.
    int support = 0;
    int require = 0;
    ServiceConfiguration[] privilAuth = new ServiceConfiguration[0];
    byte[][] supNamMechs = {};
    int supIdenTypes = 0; // 0 means ITTAbsent

    // the the SasContext metadata.
    SasContext sasMeta = metadata.getSasContext();

    // if no SAS context metadata, or caller propagation is not supported, we return with a more or
    // less empty sas context.
    if (sasMeta == null || !sasMeta.isCallerPropagationSupported()) {
      context =
          new SAS_ContextSec(
              (short) support, (short) require, privilAuth, supNamMechs, supIdenTypes);
    } else {
      support = IdentityAssertion.value;

      // supporting GSSUP (username/password) naming mechanism.
      byte[] upMech = createGSSUPMechOID();
      supNamMechs = new byte[1][upMech.length];
      System.arraycopy(upMech, 0, supNamMechs[0], 0, upMech.length);

      // since we support IdentityAssertion we need to specify supported identity types. CTS says we
      // need them all
      supIdenTypes =
          ITTAnonymous.value
              | ITTPrincipalName.value
              | ITTX509CertChain.value
              | ITTDistinguishedName.value;
      context =
          new SAS_ContextSec(
              (short) support, (short) require, privilAuth, supNamMechs, supIdenTypes);
    }

    return context;
  }
Esempio n. 3
0
  /**
   * Create the client Authentication Service (AS) context included in a {@code CompoundSecMech}
   * definition.
   *
   * @param metadata the metadata object that contains the CSIv2 security configuration info.
   * @return the constructed {@code AS_ContextSec} instance.
   */
  public static AS_ContextSec createAuthenticationServiceContext(
      IORSecurityConfigMetadata metadata) {

    AS_ContextSec context;

    // the content of the context.
    int support = 0;
    int require = 0;
    byte[] clientAuthMech = {};
    byte[] targetName = {};

    AsContext asMeta = metadata.getAsContext();

    // if no AS context metatada exists, or authentication method "none" is specified, we can
    // produce an empty AS context.
    if (asMeta == null || asMeta.getAuthMethod().equals(AsContext.AUTH_METHOD_NONE)) {
      context = new AS_ContextSec((short) support, (short) require, clientAuthMech, targetName);
    } else {
      // we do support.
      support = EstablishTrustInClient.value;

      // required depends on the metadata.
      if (asMeta.isRequired()) {
        require = EstablishTrustInClient.value;
      }

      // we only support GSSUP authentication method.
      clientAuthMech = createGSSUPMechOID();

      // finally, encode the "realm" name as a CSI.GSS_NT_ExportedName.
      // clientAuthMech should contain the DER encoded GSSUPMechOID at this point.
      String realm = asMeta.getRealm();
      targetName = createGSSExportedName(clientAuthMech, realm.getBytes());

      context = new AS_ContextSec((short) support, (short) require, clientAuthMech, targetName);
    }

    return context;
  }
Esempio n. 4
0
  /**
   * Return a top-level {@code IOP::TaggedComponent} to be stuffed into an IOR, containing an
   * structure {@code SSLIOP::SSL}, tagged as {@code TAG_SSL_SEC_TRANS}.
   *
   * <p>Should be called with non-null metadata, in which case we probably don't want to include
   * security info in the IOR.
   *
   * @param metadata the metadata object that contains the SSL configuration info.
   * @param codec the {@code Codec} used to encode the SSL component.
   * @param sslPort an {@code int} representing the SSL port.
   * @param orb a reference to the running {@code ORB}.
   * @return a {@code TaggedComponent} representing the encoded SSL component.
   */
  public static TaggedComponent createSSLTaggedComponent(
      IORSecurityConfigMetadata metadata, Codec codec, int sslPort, ORB orb) {
    if (metadata == null) {
      log.debugf("createSSLTaggedComponent() called with null metadata");
      return null;
    }

    TaggedComponent tc;
    try {
      int supports = createTargetSupports(metadata.getTransportConfig());
      int requires = createTargetRequires(metadata.getTransportConfig());
      SSL ssl = new SSL((short) supports, (short) requires, (short) sslPort);
      Any any = orb.create_any();
      SSLHelper.insert(any, ssl);
      byte[] componentData = codec.encode_value(any);
      tc = new TaggedComponent(TAG_SSL_SEC_TRANS.value, componentData);
    } catch (InvalidTypeForEncoding e) {
      log.warn("Caught unexcepted exception while encoding SSL component", e);
      throw new RuntimeException(e);
    }
    return tc;
  }