GsiConnectionSocketFactory.java example

Explorer
dcache-master
- archetypes
  - dcache-nearline-plugin-archetype
    - src
      - main
        resources
        archetype-resources
        src
        main
        java
        PluginNearlineStorage.java
        PluginNearlineStorageProvider.java
- modules
/* dCache - http://www.dcache.org/
 *
 * Copyright (C) 2015 Deutsches Elektronen-Synchrotron
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
package org.dcache.srm.client;

import eu.emi.security.authn.x509.X509Credential;
import eu.emi.security.authn.x509.proxy.ProxyGenerator;
import eu.emi.security.authn.x509.proxy.ProxyRequestOptions;
import org.apache.http.HttpHost;
import org.apache.http.conn.socket.LayeredConnectionSocketFactory;
import org.apache.http.protocol.HttpContext;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.pkcs.CertificationRequest;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;

import java.io.IOException;
import java.net.InetSocketAddress;
import java.net.Socket;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SignatureException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;

/**
 * Wraps a TLS establishing ConnectionSocketFactory and adds optional GSI delegation on top of it.
 */
public class GsiConnectionSocketFactory implements LayeredConnectionSocketFactory
{
    private final LayeredConnectionSocketFactory socketFactory;

    public GsiConnectionSocketFactory(LayeredConnectionSocketFactory socketFactory)
    {
        this.socketFactory = socketFactory;
    }

    @Override
    public Socket createLayeredSocket(Socket sock, String target, int port, HttpContext context) throws IOException
    {
        Socket socket = socketFactory.createLayeredSocket(sock, target, port, context);
        delegate(socket, (HttpClientTransport.Delegation) context.getAttribute(HttpClientTransport.TRANSPORT_HTTP_DELEGATION),
                 (X509Credential) context.getAttribute(HttpClientTransport.TRANSPORT_HTTP_CREDENTIALS));
        return socket;
    }

    @Override
    public Socket createSocket(HttpContext context) throws IOException
    {
        return socketFactory.createSocket(context);
    }

    @Override
    public Socket connectSocket(int connectTimeout, Socket sock, HttpHost host, InetSocketAddress remoteAddress,
                                InetSocketAddress localAddress, HttpContext context) throws IOException
    {
        Socket socket = socketFactory.connectSocket(connectTimeout, sock, host, remoteAddress, localAddress, context);
        delegate(socket,
                 (HttpClientTransport.Delegation) context.getAttribute(HttpClientTransport.TRANSPORT_HTTP_DELEGATION),
                 (X509Credential) context.getAttribute(HttpClientTransport.TRANSPORT_HTTP_CREDENTIALS));
        return socket;
    }

    private void delegate(Socket socket, HttpClientTransport.Delegation delegation, X509Credential credential) throws IOException
    {
        if (delegation != null) {
            switch (delegation) {
            case SKIP:
                break;
            case NONE:
                socket.getOutputStream().write('0');
                socket.getOutputStream().flush();
                break;
            case LIMITED:
            case FULL:
                socket.getOutputStream().write('D');
                socket.getOutputStream().flush();
                try {
                    // read csr
                    ASN1InputStream dIn = new ASN1InputStream(socket.getInputStream());
                    PKCS10CertificationRequest csr =
                            new PKCS10CertificationRequest(CertificationRequest.getInstance(dIn.readObject()));

                    // generate proxy
                    ProxyRequestOptions options = new ProxyRequestOptions(credential.getCertificateChain(), csr);
                    options.setLimited(delegation == HttpClientTransport.Delegation.LIMITED);
                    X509Certificate[] chain = ProxyGenerator.generate(options, credential.getKey());

                    // send to server
                    socket.getOutputStream().write(chain[0].getEncoded());
                    socket.getOutputStream().flush();
                } catch (SignatureException | NoSuchProviderException | CertificateEncodingException |
                        InvalidKeyException | NoSuchAlgorithmException | CertificateParsingException e) {
                    throw new IOException("Failed to signed CSR during delegation: " + e.getMessage(), e);
                }
                break;
            }
        }
    }
}