• Home
• fr.iscpif.jglobus
• gss
• 2.2.0-20160826
• source code
• Java_GSI_GSSAPI.html

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.globus.gsi.gssapi.Java_GSI_GSSAPI.html Maven / Gradle / Ivy

Java GSI GSS-API  Implementation Features and Limitations



The Java GSI implementation is an implementation of the Java GSS-API. It supports the GSS-API extensions and the new proxy certificate format specifications as defined by the Global Grid Forum. 
The implementation is based on JSSE (for SSL API) and the BouncyCastle library (for certificate processing API).



Features:


  
Implements Java GSS-API
  

    
wrap/unwrap support SSL wrapped tokens
  
  
Implements most of the GSS-Extensions including:
  

    
Context options
    

      
Supports PROTECTION_FAIL_ON_CONTEXT_EXPIRATION (in Java GSI GSS-API called CHECK_CONTEXT_EXPIRATION)
      
Supports DISALLOW_ENCRYPTION (but only on a per-session basis)
      
Defined additional options: 
      

        
GSS_MODE
        
DELEGATION_TYPE
        
REJECT_LIMITED_PROXY
        
REQUIRE_CLIENT_AUTH
      
    
    
Delegation API
    

      
both wrapped and unwrapped mode (SSL compatible mode)

      
    
    
Import and export of credential
    

      
both opaque and mechanism specific data import/export

      
    
  
  
Starting with JGlobus 2.0, SHA-2 (specifically SHA-256, SHA-384 and SHA-512) certificates are also supported.
  
Supports GSI and SSL compatibility mode (set via context option interface - GSS_MODE)
  
Supports limited and full delegation both using initSecContext/acceptSecContext
and initDelegation/acceptDelegation methods (set via context option interface
- DELEGATION_TYPE)
  
Supports enabling / disabling checking of peer credential  for limited proxy.

  
  
Supports enabling / disabling client authentication for acceptors (set via context option interface - REQUIRE_CLIENT_AUTH)
  
Supports checking GSSAPI credential usage, setting/getting context lifetime
  
Supports anonymous authentication and anonymous credentials
  
Supports internationalization of error messages
Supports authorization check (on the initiating side, hostbased service, identity, etc.)

  
Support certificate extension checking (certificate chain validation is performed by the ProxyPathValidation library)
  

    
BasicConstraints and KeyUsage certificate extension are checked.
    
Any certificates with unsupported critical extensions will be rejected. 

    
  

Changes in JGlobus 2.0 GSSAPI:

With the replacement of PureTLS with JSSE, SHA-2 (specifically SHA-256, SHA-384 and SHA-512) certificates are now supported.
getMIC() and verifyMIC() are no longer available because of the underlying JSSE constraints.
GSI_BIG QOP no longer available. wrap/unwrap can no longer switch between encrypted and unencrypted communication.

setOption(GSSConstants.TRUSTED_CERTIFICATES, TrustedCertificates) and the corresponding getOption no longer supported. Standard GSI mechanisms can be used to specify the Trusted Certificate folder, etc.

Previously deprecated setOption(GSSConstants.GRIM_POLICY_HANDLER, value) deleted.

GlobusGSSCredentialImpl.getGlobusCredential replaced with GlobusGSSCredentialImpl.getX509Credential

The "value" Object parameter to setOption(GSSConstants.DELEGATION_TYPE, value) should be of type GSIConstants.DelegationType, while Integer is supported as well for backward compatibility.

Confidentiality service changes/fixes

RFC definition

Per the GSSAPI Java bindings RFC, only Initiator is allowed to invoke requestConf(). No default specified by the RFC; however per C-bindings (and also implied by the name requestConf), default is taken to be "false".
Acceptor and Initiator can check if the established context provides confidentiality by checking the result of getConfState().
Ability to selectively apply confidentiality via MessageProp object passed to wrap().


GSS-API extensions

This document defines an id-gss-ext-context-opts-disallow-encryption option to a new gss_set_sec_context_option call that is available to Acceptor as well as Initiator. When set, this MUST cause the underlying GSS library to disallow any encryption of application data.

GSI C GSSAPI behavior

Confidentiality is off by default causing the null-encryption cipher suites to be added at the front of the list of cipher suites("eNULL:ALL:!ADH:RC4+RSA:+SSLv2").
Initiator or Acceptor can request confidentiality. If confidentiality is requested, the platform's default SSL cipher suite is used, which by default excludes the null-encryption ciphers.
Acceptor and Initiator can check if the established context provides confidentiality by checking the return_flags parameter to accept_sec_context() or init_sec_context() respectively. GSI_C_CONF_FLAG in return_flags is only set if the cipher suite uses encryption which is at least 56-bit.
Ability to selectively apply confidentiality, but only by requesting confidentiality at context establishment time and later selectively negating confidentiality by use of GSI_BIG QOP.
No enforcement of the id-gss-ext-context-opts-disallow-encryption option defined by the GSS-API extensions document

OLD JGlobus behavior

Confidentiality is ON by default but even when confidentiality is on, TLS_RSA_WITH_NULL_MD5 is added at the end resulting in confidentiality not being guaranteed.
Initiator or Acceptor able to explicitly request confidentiality using requestConf() but again this isn't guaranteed since the null cipher suite TLS_RSA_WITH_NULL_MD5 is always added at the end of the list of negotiable cipher suites. If confidentiality is turned off, then only the null cipher suite TLS_RSA_WITH_NULL_MD5 is enabled.
Initiator and Acceptor can check if the established context provides confidentiality by checking getConfState().
Ability to selectively apply confidentiality, but only by requesting confidentiality at context establishment time and later selectively negating confidentiality by use of GSI_BIG QOP.
No support for any equivalent of the id-gss-ext-context-opts-disallow-encryption option defined by the GSS-API extensions document


NEW JGlobus behavior

Confidentiality is OFF by default causing the null-encryption cipher suites to be added at the front of the list of cipher suites enabled by default by JSSE which are usually non-null cipher suites. This has been done to bring the implementation closer to the GSI C version.
Initiator or Acceptor able to request confidentiality using requestConf() in which case only the cipher suites enabled by default by JSSE which are non-null by default are used.
In other words:


Setting requestConf(true) will cause:

cipher suites enabled by default by JSSE to be left enabled
TLS_RSA_WITH_NULL_MD5 to no longer be added at the end of enabled cipher suites.
NOTE: Requesting confidentiality by invoking requestConf(true) before context establishment does NOT guarantee that confidentiality has been negotiated. Where confidentiality is required, the caller MUST verify after context establishment that confidentiality is available by checking the return value of getConfState().


Setting requestConf(false) will cause:

the NULL cipher suites SSL_RSA_WITH_NULL_SHA, SSL_RSA_WITH_NULL_MD5 to be enabled
all the default JSSE-enabled cipher suites (non-NULL by default) to then be added.



Acceptor and Initiator can check if the established context in fact provides confidentiality by checking getConfState().

Ability to selectively apply confidentiality no longer available as GSI_BIG QOP is no longer supported.

GRAM Contraints: Communication with GRAM servers will currently only succeed with SSLv3 and a narrow set of cipher suites. So, applications attempting communication with GRAM must first invoke GSSContext.setOption(FORCE_SSLV3_AND_CONSTRAIN_CIPHERSUITES_FOR_GRAM, Boolean.TRUE) to force the GSSAPI layer to constrain JSSE to SSLv3 and SSL_RSA_WITH_3DES_EDE_CBC_SHA when confidentiality is requested via requestConf() and SSL_RSA_WITH_NULL_SHA otherwise.
WARNING: Applications that require confidentiality are supposed to check GSSContext.getConfState() after context establishment to make sure the confidentiality service is in fact available but none of them in jGlobus appear to do so!
No support for any equivalent of the id-gss-ext-context-opts-disallow-encryption option defined by the GSS-API extensions document



Clarification:


setOption(GSSConstants.REQUIRE_CLIENT_AUTH, true) and setOption(GSSConstants.ACCEPT_NO_CLIENT_CERTS, true) will cause the former setting to take precedence; in other words client authentication will be "required".

setOption(GSSConstants.REQUIRE_CLIENT_AUTH, false) will cause the setting setOption(GSSConstants.ACCEPT_NO_CLIENT_CERTS, Boolean) to take precedence; "true" will cause client authentication to be "requested" but not required and "false" will cause client authentication to be not desired.


Limitations:

  
No GAA support. Additional certificate chain validation is performed by the ProxyPathValidation library (this is performed after the SSL library verified the chain)
  

    
  
  
Only looks for a proxy file when asked to load default credentials.
  
Does not support protection key parameter to credential import and export API

  
Does not support extensions parameters in the delegation API
  
There
is a few unimplemented methods (e.g.in GSSContext: getWrapSizeLimit(), 
export(), isTransferable(), etc) All unimplemented methods return GSSException.UNAVAILABLE
error and are marked as unimplemented in JavaDoc. Most of stream based operations
defined in Java GSS-API are not implemented (but can be implemented easily)
  
  
The org.ietf.jgss.Oid is not completely implemented (this might be
a problem if the library is used with Java 1.3.x, that class is built in
with Java 1.4.x)

Versions of software used:

  
PureTLS: puretls-0.9b4 with a few custom modifications
  
Cryptix: 3.2 (PureTLS depends on it)
  
Cryptix ASN.1 Kit (Custom version provided by PureTLS)

  
  

BouncyCastle: 1.17