jdk-sandbox: jdk/src/share/classes/sun/security/jgss/krb5/ServiceCreds.java@10d789df41bb (annotated)

15006 10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	1	/*
23010 6dadb192ad81 8029235: Update copyright year to match last edit in jdk8 jdk repository for 2013 lana parents: 15649 diff changeset	2	* Copyright (c) 2012, 2013, Oracle and/or its affiliates. All rights reserved.
15006 10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	3	* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	4	*
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	5	* This code is free software; you can redistribute it and/or modify it
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	6	* under the terms of the GNU General Public License version 2 only, as
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	7	* published by the Free Software Foundation. Oracle designates this
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	8	* particular file as subject to the "Classpath" exception as provided
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	9	* by Oracle in the LICENSE file that accompanied this code.
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	10	*
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	11	* This code is distributed in the hope that it will be useful, but WITHOUT
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	12	* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	13	* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	14	* version 2 for more details (a copy is included in the LICENSE file that
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	15	* accompanied this code).
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	16	*
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	17	* You should have received a copy of the GNU General Public License version
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	18	* 2 along with this work; if not, write to the Free Software Foundation,
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	19	* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	20	*
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	21	* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	22	* or visit www.oracle.com if you need additional information or have any
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	23	* questions.
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	24	*/
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	25
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	26	package sun.security.jgss.krb5;
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	27
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	28	import javax.security.auth.kerberos.KerberosTicket;
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	29	import javax.security.auth.kerberos.KerberosKey;
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	30	import javax.security.auth.kerberos.KerberosPrincipal;
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	31	import javax.security.auth.kerberos.KeyTab;
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	32	import javax.security.auth.Subject;
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	33
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	34	import sun.security.krb5.Credentials;
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	35	import sun.security.krb5.EncryptionKey;
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	36	import sun.security.krb5.KrbException;
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	37	import java.io.IOException;
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	38	import java.util.ArrayList;
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	39	import java.util.List;
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	40	import java.util.Set;
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	41	import sun.security.krb5.*;
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	42	import sun.security.krb5.internal.Krb5;
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	43
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	44	/**
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	45	* Credentials of a kerberos acceptor. A KerberosPrincipal object (kp) is
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	46	* the principal. It can be specified as the serverPrincipal argument
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	47	* in the getInstance() method, or uses only KerberosPrincipal in the subject.
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	48	* Otherwise, the creds object is unbound and kp is null.
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	49	*
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	50	* The class also encapsulates various secrets, which can be:
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	51	*
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	52	* 1. Some KerberosKeys (generated from password)
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	53	* 2. Some KeyTabs (for a typical service based on keytabs)
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	54	* 3. A TGT (for S4U2proxy extension or user2user)
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	55	*
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	56	* Note that some secrets can coexist. For example, a user2user service
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	57	* can use its keytab (or keys) if the client can successfully obtain a
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	58	* normal service ticket, or it can use the TGT (actually, the session key
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	59	* of the TGT) if the client can only acquire a service ticket
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	60	* of ENC-TKT-IN-SKEY style.
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	61	*
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	62	* @since 1.8
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	63	*/
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	64	public final class ServiceCreds {
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	65	// The principal, or null if unbound
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	66	private KerberosPrincipal kp;
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	67
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	68	// All principals in the subject's princ set
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	69	private Set<KerberosPrincipal> allPrincs;
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	70
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	71	// All private credentials that can be used
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	72	private List<KeyTab> ktabs;
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	73	private List<KerberosKey> kk;
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	74	private KerberosTicket tgt;
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	75
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	76	private boolean destroyed;
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	77
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	78	private ServiceCreds() {
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	79	// Make sure this class cannot be instantiated externally.
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	80	}
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	81
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	82	/**
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	83	* Creates a ServiceCreds object based on info in a Subject for
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	84	* a given principal name (if specified).
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	85	* @return the object, or null if there is no private creds for it
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	86	*/
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	87	public static ServiceCreds getInstance(
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	88	Subject subj, String serverPrincipal) {
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	89
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	90	ServiceCreds sc = new ServiceCreds();
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	91
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	92	sc.allPrincs =
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	93	subj.getPrincipals(KerberosPrincipal.class);
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	94
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	95	// Compatibility. A key implies its own principal
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	96	for (KerberosKey key: SubjectComber.findMany(
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	97	subj, serverPrincipal, null, KerberosKey.class)) {
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	98	sc.allPrincs.add(key.getPrincipal());
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	99	}
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	100
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	101	if (serverPrincipal != null) { // A named principal
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	102	sc.kp = new KerberosPrincipal(serverPrincipal);
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	103	} else {
15649 f6bd3d34f844 8001104: Unbound SASL service: the GSSAPI/krb5 mech weijun parents: 15006 diff changeset	104	// For compatibility reason, we set the name of default principal
f6bd3d34f844 8001104: Unbound SASL service: the GSSAPI/krb5 mech weijun parents: 15006 diff changeset	105	// to the "only possible" name it can take, which means there is
f6bd3d34f844 8001104: Unbound SASL service: the GSSAPI/krb5 mech weijun parents: 15006 diff changeset	106	// only one KerberosPrincipal and there is no unbound keytabs
f6bd3d34f844 8001104: Unbound SASL service: the GSSAPI/krb5 mech weijun parents: 15006 diff changeset	107	if (sc.allPrincs.size() == 1) {
f6bd3d34f844 8001104: Unbound SASL service: the GSSAPI/krb5 mech weijun parents: 15006 diff changeset	108	boolean hasUnbound = false;
f6bd3d34f844 8001104: Unbound SASL service: the GSSAPI/krb5 mech weijun parents: 15006 diff changeset	109	for (KeyTab ktab: SubjectComber.findMany(
f6bd3d34f844 8001104: Unbound SASL service: the GSSAPI/krb5 mech weijun parents: 15006 diff changeset	110	subj, null, null, KeyTab.class)) {
f6bd3d34f844 8001104: Unbound SASL service: the GSSAPI/krb5 mech weijun parents: 15006 diff changeset	111	if (!ktab.isBound()) {
f6bd3d34f844 8001104: Unbound SASL service: the GSSAPI/krb5 mech weijun parents: 15006 diff changeset	112	hasUnbound = true;
f6bd3d34f844 8001104: Unbound SASL service: the GSSAPI/krb5 mech weijun parents: 15006 diff changeset	113	break;
f6bd3d34f844 8001104: Unbound SASL service: the GSSAPI/krb5 mech weijun parents: 15006 diff changeset	114	}
f6bd3d34f844 8001104: Unbound SASL service: the GSSAPI/krb5 mech weijun parents: 15006 diff changeset	115	}
f6bd3d34f844 8001104: Unbound SASL service: the GSSAPI/krb5 mech weijun parents: 15006 diff changeset	116	if (!hasUnbound) {
f6bd3d34f844 8001104: Unbound SASL service: the GSSAPI/krb5 mech weijun parents: 15006 diff changeset	117	sc.kp = sc.allPrincs.iterator().next();
f6bd3d34f844 8001104: Unbound SASL service: the GSSAPI/krb5 mech weijun parents: 15006 diff changeset	118	serverPrincipal = sc.kp.getName();
f6bd3d34f844 8001104: Unbound SASL service: the GSSAPI/krb5 mech weijun parents: 15006 diff changeset	119	}
15006 10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	120	}
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	121	}
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	122
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	123	sc.ktabs = SubjectComber.findMany(
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	124	subj, serverPrincipal, null, KeyTab.class);
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	125	sc.kk = SubjectComber.findMany(
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	126	subj, serverPrincipal, null, KerberosKey.class);
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	127	sc.tgt = SubjectComber.find(
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	128	subj, null, serverPrincipal, KerberosTicket.class);
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	129	if (sc.ktabs.isEmpty() && sc.kk.isEmpty() && sc.tgt == null) {
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	130	return null;
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	131	}
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	132
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	133	sc.destroyed = false;
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	134
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	135	return sc;
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	136	}
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	137
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	138	// can be null
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	139	public String getName() {
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	140	if (destroyed) {
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	141	throw new IllegalStateException("This object is destroyed");
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	142	}
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	143	return kp == null ? null : kp.getName();
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	144	}
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	145
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	146	/**
15649 f6bd3d34f844 8001104: Unbound SASL service: the GSSAPI/krb5 mech weijun parents: 15006 diff changeset	147	* Gets keys for "someone". Used in 2 cases:
f6bd3d34f844 8001104: Unbound SASL service: the GSSAPI/krb5 mech weijun parents: 15006 diff changeset	148	* 1. By TLS because it needs to get keys before client comes in.
f6bd3d34f844 8001104: Unbound SASL service: the GSSAPI/krb5 mech weijun parents: 15006 diff changeset	149	* 2. As a fallback in getEKeys() below.
f6bd3d34f844 8001104: Unbound SASL service: the GSSAPI/krb5 mech weijun parents: 15006 diff changeset	150	* This method can still return an empty array.
15006 10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	151	*/
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	152	public KerberosKey[] getKKeys() {
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	153	if (destroyed) {
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	154	throw new IllegalStateException("This object is destroyed");
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	155	}
15649 f6bd3d34f844 8001104: Unbound SASL service: the GSSAPI/krb5 mech weijun parents: 15006 diff changeset	156	KerberosPrincipal one = kp; // named principal
f6bd3d34f844 8001104: Unbound SASL service: the GSSAPI/krb5 mech weijun parents: 15006 diff changeset	157	if (one == null && !allPrincs.isEmpty()) { // or, a known principal
f6bd3d34f844 8001104: Unbound SASL service: the GSSAPI/krb5 mech weijun parents: 15006 diff changeset	158	one = allPrincs.iterator().next();
15006 10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	159	}
15649 f6bd3d34f844 8001104: Unbound SASL service: the GSSAPI/krb5 mech weijun parents: 15006 diff changeset	160	if (one == null) { // Or, some random one
f6bd3d34f844 8001104: Unbound SASL service: the GSSAPI/krb5 mech weijun parents: 15006 diff changeset	161	for (KeyTab ktab: ktabs) {
f6bd3d34f844 8001104: Unbound SASL service: the GSSAPI/krb5 mech weijun parents: 15006 diff changeset	162	// Must be unbound keytab, otherwise, allPrincs is not empty
f6bd3d34f844 8001104: Unbound SASL service: the GSSAPI/krb5 mech weijun parents: 15006 diff changeset	163	PrincipalName pn =
f6bd3d34f844 8001104: Unbound SASL service: the GSSAPI/krb5 mech weijun parents: 15006 diff changeset	164	Krb5Util.snapshotFromJavaxKeyTab(ktab).getOneName();
f6bd3d34f844 8001104: Unbound SASL service: the GSSAPI/krb5 mech weijun parents: 15006 diff changeset	165	if (pn != null) {
f6bd3d34f844 8001104: Unbound SASL service: the GSSAPI/krb5 mech weijun parents: 15006 diff changeset	166	one = new KerberosPrincipal(pn.getName());
f6bd3d34f844 8001104: Unbound SASL service: the GSSAPI/krb5 mech weijun parents: 15006 diff changeset	167	break;
f6bd3d34f844 8001104: Unbound SASL service: the GSSAPI/krb5 mech weijun parents: 15006 diff changeset	168	}
f6bd3d34f844 8001104: Unbound SASL service: the GSSAPI/krb5 mech weijun parents: 15006 diff changeset	169	}
f6bd3d34f844 8001104: Unbound SASL service: the GSSAPI/krb5 mech weijun parents: 15006 diff changeset	170	}
f6bd3d34f844 8001104: Unbound SASL service: the GSSAPI/krb5 mech weijun parents: 15006 diff changeset	171	if (one != null) {
f6bd3d34f844 8001104: Unbound SASL service: the GSSAPI/krb5 mech weijun parents: 15006 diff changeset	172	return getKKeys(one);
f6bd3d34f844 8001104: Unbound SASL service: the GSSAPI/krb5 mech weijun parents: 15006 diff changeset	173	} else {
f6bd3d34f844 8001104: Unbound SASL service: the GSSAPI/krb5 mech weijun parents: 15006 diff changeset	174	return new KerberosKey[0];
f6bd3d34f844 8001104: Unbound SASL service: the GSSAPI/krb5 mech weijun parents: 15006 diff changeset	175	}
15006 10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	176	}
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	177
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	178	/**
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	179	* Get kkeys for a principal,
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	180	* @param princ the target name initiator requests. Not null.
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	181	* @return keys for the princ, never null, might be empty
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	182	*/
15649 f6bd3d34f844 8001104: Unbound SASL service: the GSSAPI/krb5 mech weijun parents: 15006 diff changeset	183	public KerberosKey[] getKKeys(KerberosPrincipal princ) {
f6bd3d34f844 8001104: Unbound SASL service: the GSSAPI/krb5 mech weijun parents: 15006 diff changeset	184	if (destroyed) {
f6bd3d34f844 8001104: Unbound SASL service: the GSSAPI/krb5 mech weijun parents: 15006 diff changeset	185	throw new IllegalStateException("This object is destroyed");
15006 10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	186	}
15649 f6bd3d34f844 8001104: Unbound SASL service: the GSSAPI/krb5 mech weijun parents: 15006 diff changeset	187	ArrayList<KerberosKey> keys = new ArrayList<>();
f6bd3d34f844 8001104: Unbound SASL service: the GSSAPI/krb5 mech weijun parents: 15006 diff changeset	188	if (kp != null && !princ.equals(kp)) { // named principal
f6bd3d34f844 8001104: Unbound SASL service: the GSSAPI/krb5 mech weijun parents: 15006 diff changeset	189	return new KerberosKey[0];
15006 10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	190	}
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	191	for (KerberosKey k: kk) {
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	192	if (k.getPrincipal().equals(princ)) {
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	193	keys.add(k);
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	194	}
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	195	}
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	196	for (KeyTab ktab: ktabs) {
15649 f6bd3d34f844 8001104: Unbound SASL service: the GSSAPI/krb5 mech weijun parents: 15006 diff changeset	197	if (ktab.getPrincipal() == null && ktab.isBound()) {
f6bd3d34f844 8001104: Unbound SASL service: the GSSAPI/krb5 mech weijun parents: 15006 diff changeset	198	// legacy bound keytab. although we don't know who
f6bd3d34f844 8001104: Unbound SASL service: the GSSAPI/krb5 mech weijun parents: 15006 diff changeset	199	// the bound principal is, it must be in allPrincs
f6bd3d34f844 8001104: Unbound SASL service: the GSSAPI/krb5 mech weijun parents: 15006 diff changeset	200	if (!allPrincs.contains(princ)) {
f6bd3d34f844 8001104: Unbound SASL service: the GSSAPI/krb5 mech weijun parents: 15006 diff changeset	201	continue; // skip this legacy bound keytab
f6bd3d34f844 8001104: Unbound SASL service: the GSSAPI/krb5 mech weijun parents: 15006 diff changeset	202	}
f6bd3d34f844 8001104: Unbound SASL service: the GSSAPI/krb5 mech weijun parents: 15006 diff changeset	203	}
15006 10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	204	for (KerberosKey k: ktab.getKeys(princ)) {
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	205	keys.add(k);
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	206	}
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	207	}
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	208	return keys.toArray(new KerberosKey[keys.size()]);
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	209	}
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	210
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	211	/**
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	212	* Gets EKeys for a principal.
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	213	* @param princ the target name initiator requests. Not null.
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	214	* @return keys for the princ, never null, might be empty
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	215	*/
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	216	public EncryptionKey[] getEKeys(PrincipalName princ) {
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	217	if (destroyed) {
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	218	throw new IllegalStateException("This object is destroyed");
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	219	}
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	220	KerberosKey[] kkeys = getKKeys(new KerberosPrincipal(princ.getName()));
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	221	if (kkeys.length == 0) {
15649 f6bd3d34f844 8001104: Unbound SASL service: the GSSAPI/krb5 mech weijun parents: 15006 diff changeset	222	// Fallback: old JDK does not perform real name checking. If the
f6bd3d34f844 8001104: Unbound SASL service: the GSSAPI/krb5 mech weijun parents: 15006 diff changeset	223	// acceptor has host.sun.com but initiator requests for host,
f6bd3d34f844 8001104: Unbound SASL service: the GSSAPI/krb5 mech weijun parents: 15006 diff changeset	224	// as long as their keys match (i.e. keys for one can decrypt
f6bd3d34f844 8001104: Unbound SASL service: the GSSAPI/krb5 mech weijun parents: 15006 diff changeset	225	// the other's service ticket), the authentication is OK.
f6bd3d34f844 8001104: Unbound SASL service: the GSSAPI/krb5 mech weijun parents: 15006 diff changeset	226	// There are real customers depending on this to use different
f6bd3d34f844 8001104: Unbound SASL service: the GSSAPI/krb5 mech weijun parents: 15006 diff changeset	227	// names for a single service.
15006 10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	228	kkeys = getKKeys();
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	229	}
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	230	EncryptionKey[] ekeys = new EncryptionKey[kkeys.length];
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	231	for (int i=0; i<ekeys.length; i++) {
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	232	ekeys[i] = new EncryptionKey(
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	233	kkeys[i].getEncoded(), kkeys[i].getKeyType(),
25522 10d789df41bb 8049892: Replace uses of 'new Integer()' with appropriate alternative across core classes prr parents: 23010 diff changeset	234	kkeys[i].getVersionNumber());
15006 10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	235	}
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	236	return ekeys;
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	237	}
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	238
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	239	public Credentials getInitCred() {
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	240	if (destroyed) {
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	241	throw new IllegalStateException("This object is destroyed");
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	242	}
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	243	if (tgt == null) {
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	244	return null;
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	245	}
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	246	try {
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	247	return Krb5Util.ticketToCreds(tgt);
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	248	} catch (KrbException \| IOException e) {
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	249	return null;
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	250	}
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	251	}
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	252
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	253	public void destroy() {
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	254	// Do not wipe out real keys because they are references to the
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	255	// priv creds in subject. Just make it useless.
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	256	destroyed = true;
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	257	kp = null;
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	258	ktabs.clear();
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	259	kk.clear();
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	260	tgt = null;
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	261	}
10d6aacdd67f 8005447: default principal should act as anyone weijun parents: diff changeset	262	}

author	prr
	Tue, 15 Jul 2014 11:22:14 -0700
changeset 25522	10d789df41bb
parent 23010	6dadb192ad81
permissions	-rw-r--r--