SharedSecret (pki-javadoc)

java.lang.Object
- com.netscape.cms.authentication.DirBasedAuthentication
- - com.netscape.cms.authentication.SharedSecret

All Implemented Interfaces:

ISharedToken, IExtendedPluginInfo, IAuthManager
```
public class SharedSecret
extends DirBasedAuthentication
implements ISharedToken
```
SharedSecret provides methods to retrieve shared secrets between users and the server. It is primarily developed to support CMC Shared Secret-based authentication for enrollment and revocation, but does not preclude usages that conform to the same mechanism and storage format.

Author:

cfu

Field Summary

Fields
Modifier and Type	Field and Description
`static java.lang.String`	`CRED_ShrTok`
`static java.lang.String`	`DEF_SharedToken_ATTR`
`protected byte[]`	`iv`
`static org.slf4j.Logger`	`logger`
`protected static java.lang.String[]`	`mConfigParams`
`protected static java.lang.String[]`	`mRequiredCreds`
`protected java.lang.String`	`mShrTokAttr`
`protected static java.lang.String`	`PROP_DNPATTERN`
`protected static java.lang.String`	`PROP_LDAP_BOUND_CONN`
`protected static java.lang.String`	`PROP_LDAP_BOUND_TAG`
`protected static java.lang.String`	`PROP_LDAPBYTEATTRS`
`protected static java.lang.String`	`PROP_LDAPSTRINGATTRS`
`static java.lang.String`	`PROP_SharedToken_ATTR`
`protected org.mozilla.jss.crypto.CryptoToken`	`token`
`org.mozilla.jss.crypto.KeyWrapAlgorithm`	`wrapAlgorithm`

Fields inherited from class com.netscape.cms.authentication.DirBasedAuthentication
DEFAULT_DNPATTERN, mBaseDN, mBoundConnEnable, mConfig, mConnFactory, mExtendedPluginInfo, mGroupObjectClass, mGroups, mGroupsBaseDN, mGroupsEnable, mGroupUserIDName, mImplName, mLdapAttrs, mLdapByteAttrs, mLdapConfig, mLdapStringAttrs, mName, mPattern, mSearchGroupUserByUserdn, mTag, mUserIDName, PROP_GROUP_OBJECT_CLASS, PROP_GROUP_USERID_NAME, PROP_GROUPS, PROP_GROUPS_BASEDN, PROP_GROUPS_ENABLE, PROP_SEARCH_GROUP_USER_BY_USERDN, PROP_USERID_NAME, USER_DN

Fields inherited from interface org.dogtagpki.server.authentication.IAuthManager
CRED_CERT_SERIAL_TO_REVOKE, CRED_CMC_SELF_SIGNED, CRED_CMC_SIGNING_CERT, CRED_HOST_NAME, CRED_SESSION_ID, CRED_SSL_CLIENT_CERT

Fields inherited from interface com.netscape.certsrv.base.IExtendedPluginInfo
HELP_TEXT, HELP_TOKEN

Constructor Summary

Constructors
Constructor and Description

SharedSecret()

Constructors
Constructor and Description
`SharedSecret()`

Method Summary

All Methods Instance Methods Concrete Methods
Modifier and Type	Method and Description
`protected java.lang.String`	`authenticate(netscape.ldap.LDAPConnection conn, IAuthCredentials authCreds, AuthToken token)` unsupported This is an unconventional authentication plugin implementation that does not support authenticate()
`java.lang.String[]`	`getConfigParams()` Returns a list of configuration parameter names.
`java.lang.String[]`	`getRequiredCreds()` Returns array of required credentials for this authentication manager.
`char[]`	`getSharedToken(java.math.BigInteger serial)` getSharedToken(BigInteger serial) retrieves the shared secret data from CA's internal certificate db based on serial number to revoke shared secret based revocation Note that unlike the shared token attribute for enrollment, the metaInfo attribute for shared token in revocatoiin is not configurable.
`char[]`	`getSharedToken(org.mozilla.jss.pkix.cmc.PKIData cmcdata)` unsupported
`char[]`	`getSharedToken(java.lang.String identification, IAuthToken authToken)` getSharedToken(String identification, IAuthToken authToken) provides support for id_cmc_identification shared secret based enrollment
`void`	`init(java.lang.String name, java.lang.String implName, AuthManagerConfig config)` Initializes the UidPwdDirBasedAuthentication auth manager.
`void`	`initLdapConn(AuthManagerConfig config)` initLadapConn initializes ldap connection for shared token based CMC enrollment.

Methods inherited from class com.netscape.cms.authentication.DirBasedAuthentication
authenticate, formCertInfo, formSubjectName, getConfigStore, getExtendedPluginInfo, getImplName, getLdapAttrs, getLdapByteAttrs, getName, init, setAuthTokenByteValue, setAuthTokenStringValue, setAuthTokenValues, shutdown

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

logger
```
public static org.slf4j.Logger logger
```

CRED_ShrTok

public static final java.lang.String CRED_ShrTok

See Also:: Constant Field Values

mRequiredCreds

protected static java.lang.String[] mRequiredCreds

PROP_DNPATTERN

protected static final java.lang.String PROP_DNPATTERN

See Also:: Constant Field Values

PROP_LDAPSTRINGATTRS

protected static final java.lang.String PROP_LDAPSTRINGATTRS

See Also:: Constant Field Values

PROP_LDAPBYTEATTRS

protected static final java.lang.String PROP_LDAPBYTEATTRS

See Also:: Constant Field Values

PROP_LDAP_BOUND_CONN

protected static final java.lang.String PROP_LDAP_BOUND_CONN

See Also:: Constant Field Values

PROP_LDAP_BOUND_TAG

protected static final java.lang.String PROP_LDAP_BOUND_TAG

See Also:: Constant Field Values

PROP_SharedToken_ATTR

public static final java.lang.String PROP_SharedToken_ATTR

See Also:: Constant Field Values

DEF_SharedToken_ATTR

public static final java.lang.String DEF_SharedToken_ATTR

See Also:: Constant Field Values

wrapAlgorithm

public org.mozilla.jss.crypto.KeyWrapAlgorithm wrapAlgorithm

mConfigParams

protected static java.lang.String[] mConfigParams

mShrTokAttr
```
protected java.lang.String mShrTokAttr
```

token

protected org.mozilla.jss.crypto.CryptoToken token

iv
```
protected byte[] iv
```

Constructor Detail
- SharedSecret
```
public SharedSecret()
```

Method Detail

init

public void init(java.lang.String name,
                 java.lang.String implName,
                 AuthManagerConfig config)
          throws EBaseException

Description copied from class: DirBasedAuthentication

Initializes the UidPwdDirBasedAuthentication auth manager. Takes the following configuration parameters:

        ldap.basedn             - the ldap base dn.
        ldap.ldapconn.host      - the ldap host.
        ldap.ldapconn.port      - the ldap port
        ldap.ldapconn.secureConn - whether port should be secure
        ldap.minConns           - minimum connections
        ldap.maxConns           - max connections
        dnpattern               - dn pattern.

dnpattern is a string representing a subject name pattern to formulate from the directory attributes and entry dn. If empty or not set, the ldap entry DN will be used as the certificate subject name.

The syntax is

     dnpattern = SubjectNameComp *[ "," SubjectNameComp ]

     SubjectNameComponent = DnComp | EntryComp | ConstantComp
     DnComp = CertAttr "=" "$dn" "." DnAttr "." Num
     EntryComp = CertAttr "=" "$attr" "." EntryAttr "." Num
     ConstantComp = CertAttr "=" Constant
     DnAttr    =  an attribute in the Ldap entry dn
     EntryAttr =  an attribute in the Ldap entry
     CertAttr  =  a Component in the Certificate Subject Name
                  (multiple AVA in one RDN not supported)
     Num       =  the nth value of tha attribute  in the dn or entry.
     Constant  =  Constant String, with any accepted ldap string value.

Example:

 dnpattern:
     E=$attr.mail.1, CN=$attr.cn, OU=$attr.ou.2, O=$dn.o, C=US
 

 Ldap entry dn:
     UID=joesmith, OU=people, O=Acme.com
 

 Ldap attributes:
     cn: Joe Smith
     sn: Smith
     mail: joesmith@acme.com
     mail: joesmith@redhat.com
     ou: people
     ou: IS
     etc.

The subject name formulated in the cert will be :

   E=joesmith@acme.com, CN=Joe Smith, OU=Human Resources, O=Acme.com, C=US

      E = the first 'mail' ldap attribute value in user's entry - joesmithe@acme.com
      CN = the (first) 'cn' ldap attribute value in the user's entry - Joe Smith
      OU = the second 'ou' value in the ldap entry - IS
      O = the (first) 'o' value in the user's entry DN - "Acme.com"
      C = the constant string "US"

Specified by:: init in interface IAuthManager
Overrides:: init in class DirBasedAuthentication
Parameters:: name - The name for this authentication manager instance.; implName - The name of the authentication manager plugin.; config - - The configuration store for this instance.
Throws:: EBaseException - If an error occurs during initialization.

initLdapConn
```
public void initLdapConn(AuthManagerConfig config)
                  throws EBaseException
```
initLadapConn initializes ldap connection for shared token based CMC enrollment.

Throws:

EBaseException

getSharedToken
```
public char[] getSharedToken(java.lang.String identification,
                             IAuthToken authToken)
                      throws EBaseException
```
getSharedToken(String identification, IAuthToken authToken) provides support for id_cmc_identification shared secret based enrollment

Specified by:

getSharedToken in interface ISharedToken

Parameters:

identification - maps to the uid in user's ldap record

authToken - the IAuthToken that will be filled with the DN in user's ldap record Note: caller should clear the memory for the returned token after each use

Throws:

EBaseException

getSharedToken

public char[] getSharedToken(org.mozilla.jss.pkix.cmc.PKIData cmcdata)
                      throws EBaseException

unsupported

Specified by:: getSharedToken in interface ISharedToken
Throws:: EBaseException

getSharedToken
```
public char[] getSharedToken(java.math.BigInteger serial)
                      throws EBaseException
```
getSharedToken(BigInteger serial) retrieves the shared secret data from CA's internal certificate db based on serial number to revoke shared secret based revocation Note that unlike the shared token attribute for enrollment, the metaInfo attribute for shared token in revocatoiin is not configurable. Note: caller should clear the memory for the returned token after each use

Specified by:

getSharedToken in interface ISharedToken

Throws:

EBaseException

authenticate
```
protected java.lang.String authenticate(netscape.ldap.LDAPConnection conn,
                                        IAuthCredentials authCreds,
                                        AuthToken token)
                                 throws EBaseException
```
unsupported This is an unconventional authentication plugin implementation that does not support authenticate()

Specified by:

authenticate in class DirBasedAuthentication

authCreds - The authentication credentials.

Returns:

The user's ldap entry dn.

Throws:

EInvalidCredentials - If the uid and password are not valid

EBaseException - If an internal error occurs.

getConfigParams
```
public java.lang.String[] getConfigParams()
```
Returns a list of configuration parameter names. The list is passed to the configuration console so instances of this implementation can be configured through the console.

Specified by:

getConfigParams in interface IAuthManager

Specified by:

getConfigParams in class DirBasedAuthentication

Returns:

String array of configuration parameter names.

getRequiredCreds
```
public java.lang.String[] getRequiredCreds()
```
Returns array of required credentials for this authentication manager.

Specified by:

getRequiredCreds in interface IAuthManager

Specified by:

getRequiredCreds in class DirBasedAuthentication

Returns:

Array of required credentials.

Class SharedSecret

Field Summary

Fields inherited from class com.netscape.cms.authentication.DirBasedAuthentication

Fields inherited from interface org.dogtagpki.server.authentication.IAuthManager

Fields inherited from interface com.netscape.certsrv.base.IExtendedPluginInfo

Constructor Summary

Method Summary

Methods inherited from class com.netscape.cms.authentication.DirBasedAuthentication

Methods inherited from class java.lang.Object

Field Detail

logger

CRED_ShrTok

mRequiredCreds

PROP_DNPATTERN

PROP_LDAPSTRINGATTRS

PROP_LDAPBYTEATTRS

PROP_LDAP_BOUND_CONN

PROP_LDAP_BOUND_TAG

PROP_SharedToken_ATTR

DEF_SharedToken_ATTR

wrapAlgorithm

mConfigParams

mShrTokAttr

token

iv

Constructor Detail

SharedSecret

Method Detail

init

initLdapConn

getSharedToken

getSharedToken

getSharedToken

authenticate

getConfigParams

getRequiredCreds