| author | ohair |
| Tue, 25 May 2010 15:58:33 -0700 | |
| changeset 5506 | 202f599c92aa |
| parent 4337 | 2a6d13ebbbed |
| child 10336 | 0bb1999251f8 |
| permissions | -rw-r--r-- |
| 2 | 1 |
/* |
| 5506 | 2 |
* Copyright (c) 2005, 2009, Oracle and/or its affiliates. All rights reserved. |
| 2 | 3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
| 5506 | 7 |
* published by the Free Software Foundation. Oracle designates this |
| 2 | 8 |
* particular file as subject to the "Classpath" exception as provided |
| 5506 | 9 |
* by Oracle in the LICENSE file that accompanied this code. |
| 2 | 10 |
* |
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
15 |
* accompanied this code). |
|
16 |
* |
|
17 |
* You should have received a copy of the GNU General Public License version |
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 |
* |
|
| 5506 | 21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
22 |
* or visit www.oracle.com if you need additional information or have any |
|
23 |
* questions. |
|
| 2 | 24 |
*/ |
25 |
||
26 |
package sun.security.jgss.spnego; |
|
27 |
||
|
3482
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2279
diff
changeset
|
28 |
import com.sun.security.jgss.ExtendedGSSContext; |
|
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2279
diff
changeset
|
29 |
import com.sun.security.jgss.InquireType; |
| 2 | 30 |
import java.io.*; |
31 |
import java.security.Provider; |
|
32 |
import org.ietf.jgss.*; |
|
33 |
import sun.security.jgss.*; |
|
34 |
import sun.security.jgss.spi.*; |
|
35 |
import sun.security.util.*; |
|
36 |
||
37 |
/** |
|
38 |
* Implements the mechanism specific context class for SPNEGO |
|
39 |
* GSS-API mechanism |
|
40 |
* |
|
41 |
* @author Seema Malkani |
|
42 |
* @since 1.6 |
|
43 |
*/ |
|
44 |
public class SpNegoContext implements GSSContextSpi {
|
|
45 |
||
46 |
/* |
|
47 |
* The different states that this context can be in. |
|
48 |
*/ |
|
49 |
private static final int STATE_NEW = 1; |
|
50 |
private static final int STATE_IN_PROCESS = 2; |
|
51 |
private static final int STATE_DONE = 3; |
|
52 |
private static final int STATE_DELETED = 4; |
|
53 |
||
54 |
private int state = STATE_NEW; |
|
55 |
||
56 |
/* |
|
57 |
* Optional features that the application can set and their default |
|
58 |
* values. |
|
59 |
*/ |
|
60 |
private boolean credDelegState = false; |
|
61 |
private boolean mutualAuthState = true; |
|
62 |
private boolean replayDetState = true; |
|
63 |
private boolean sequenceDetState = true; |
|
64 |
private boolean confState = true; |
|
65 |
private boolean integState = true; |
|
| 4336 | 66 |
private boolean delegPolicyState = false; |
| 2 | 67 |
|
68 |
private GSSNameSpi peerName = null; |
|
69 |
private GSSNameSpi myName = null; |
|
70 |
private SpNegoCredElement myCred = null; |
|
71 |
||
72 |
private GSSContext mechContext = null; |
|
73 |
private byte[] DER_mechTypes = null; |
|
74 |
||
75 |
private int lifetime; |
|
76 |
private ChannelBinding channelBinding; |
|
77 |
private boolean initiator; |
|
78 |
||
79 |
// the underlying negotiated mechanism |
|
80 |
private Oid internal_mech = null; |
|
81 |
||
82 |
// the SpNegoMechFactory that creates this context |
|
83 |
final private SpNegoMechFactory factory; |
|
84 |
||
85 |
// debug property |
|
86 |
static final boolean DEBUG = |
|
87 |
java.security.AccessController.doPrivileged( |
|
88 |
new sun.security.action.GetBooleanAction |
|
89 |
("sun.security.spnego.debug")).booleanValue();
|
|
90 |
||
91 |
/** |
|
92 |
* Constructor for SpNegoContext to be called on the context initiator's |
|
93 |
* side. |
|
94 |
*/ |
|
95 |
public SpNegoContext(SpNegoMechFactory factory, GSSNameSpi peerName, |
|
96 |
GSSCredentialSpi myCred, |
|
97 |
int lifetime) throws GSSException {
|
|
98 |
||
99 |
if (peerName == null) |
|
100 |
throw new IllegalArgumentException("Cannot have null peer name");
|
|
101 |
if ((myCred != null) && !(myCred instanceof SpNegoCredElement)) {
|
|
102 |
throw new IllegalArgumentException("Wrong cred element type");
|
|
103 |
} |
|
104 |
this.peerName = peerName; |
|
105 |
this.myCred = (SpNegoCredElement) myCred; |
|
106 |
this.lifetime = lifetime; |
|
107 |
this.initiator = true; |
|
108 |
this.factory = factory; |
|
109 |
} |
|
110 |
||
111 |
/** |
|
112 |
* Constructor for SpNegoContext to be called on the context acceptor's |
|
113 |
* side. |
|
114 |
*/ |
|
115 |
public SpNegoContext(SpNegoMechFactory factory, GSSCredentialSpi myCred) |
|
116 |
throws GSSException {
|
|
117 |
if ((myCred != null) && !(myCred instanceof SpNegoCredElement)) {
|
|
118 |
throw new IllegalArgumentException("Wrong cred element type");
|
|
119 |
} |
|
120 |
this.myCred = (SpNegoCredElement) myCred; |
|
121 |
this.initiator = false; |
|
122 |
this.factory = factory; |
|
123 |
} |
|
124 |
||
125 |
/** |
|
126 |
* Constructor for SpNegoContext to import a previously exported context. |
|
127 |
*/ |
|
128 |
public SpNegoContext(SpNegoMechFactory factory, byte [] interProcessToken) |
|
129 |
throws GSSException {
|
|
130 |
throw new GSSException(GSSException.UNAVAILABLE, |
|
131 |
-1, "GSS Import Context not available"); |
|
132 |
} |
|
133 |
||
134 |
/** |
|
135 |
* Requests that confidentiality be available. |
|
136 |
*/ |
|
137 |
public final void requestConf(boolean value) throws GSSException {
|
|
138 |
if (state == STATE_NEW && isInitiator()) |
|
139 |
confState = value; |
|
140 |
} |
|
141 |
||
142 |
/** |
|
143 |
* Is confidentiality available? |
|
144 |
*/ |
|
145 |
public final boolean getConfState() {
|
|
146 |
return confState; |
|
147 |
} |
|
148 |
||
149 |
/** |
|
150 |
* Requests that integrity be available. |
|
151 |
*/ |
|
152 |
public final void requestInteg(boolean value) throws GSSException {
|
|
153 |
if (state == STATE_NEW && isInitiator()) |
|
154 |
integState = value; |
|
155 |
} |
|
156 |
||
157 |
/** |
|
| 4336 | 158 |
* Requests that deleg policy be respected. |
159 |
*/ |
|
160 |
public final void requestDelegPolicy(boolean value) throws GSSException {
|
|
161 |
if (state == STATE_NEW && isInitiator()) |
|
162 |
delegPolicyState = value; |
|
163 |
} |
|
164 |
||
165 |
/** |
|
| 2 | 166 |
* Is integrity available? |
167 |
*/ |
|
168 |
public final boolean getIntegState() {
|
|
169 |
return integState; |
|
170 |
} |
|
171 |
||
172 |
/** |
|
| 4336 | 173 |
* Is deleg policy respected? |
174 |
*/ |
|
175 |
public final boolean getDelegPolicyState() {
|
|
176 |
if (isInitiator() && mechContext != null && |
|
177 |
mechContext instanceof ExtendedGSSContext && |
|
178 |
(state == STATE_IN_PROCESS || state == STATE_DONE)) {
|
|
179 |
return ((ExtendedGSSContext)mechContext).getDelegPolicyState(); |
|
180 |
} else {
|
|
181 |
return delegPolicyState; |
|
182 |
} |
|
183 |
} |
|
184 |
||
185 |
/** |
|
| 2 | 186 |
* Requests that credential delegation be done during context |
187 |
* establishment. |
|
188 |
*/ |
|
189 |
public final void requestCredDeleg(boolean value) throws GSSException {
|
|
190 |
if (state == STATE_NEW && isInitiator()) |
|
191 |
credDelegState = value; |
|
192 |
} |
|
193 |
||
194 |
/** |
|
195 |
* Is credential delegation enabled? |
|
196 |
*/ |
|
197 |
public final boolean getCredDelegState() {
|
|
| 4336 | 198 |
if (isInitiator() && mechContext != null && |
| 2 | 199 |
(state == STATE_IN_PROCESS || state == STATE_DONE)) {
|
200 |
return mechContext.getCredDelegState(); |
|
201 |
} else {
|
|
202 |
return credDelegState; |
|
203 |
} |
|
204 |
} |
|
205 |
||
206 |
/** |
|
207 |
* Requests that mutual authentication be done during context |
|
208 |
* establishment. Since this is fromm the client's perspective, it |
|
209 |
* essentially requests that the server be authenticated. |
|
210 |
*/ |
|
211 |
public final void requestMutualAuth(boolean value) throws GSSException {
|
|
212 |
if (state == STATE_NEW && isInitiator()) {
|
|
213 |
mutualAuthState = value; |
|
214 |
} |
|
215 |
} |
|
216 |
||
217 |
/** |
|
218 |
* Is mutual authentication enabled? Since this is from the client's |
|
219 |
* perspective, it essentially meas that the server is being |
|
220 |
* authenticated. |
|
221 |
*/ |
|
222 |
public final boolean getMutualAuthState() {
|
|
223 |
return mutualAuthState; |
|
224 |
} |
|
225 |
||
226 |
/** |
|
227 |
* Returns the mechanism oid. |
|
228 |
* |
|
229 |
* @return the Oid of this context |
|
230 |
*/ |
|
231 |
public final Oid getMech() {
|
|
232 |
if (isEstablished()) {
|
|
233 |
return getNegotiatedMech(); |
|
234 |
} |
|
235 |
return (SpNegoMechFactory.GSS_SPNEGO_MECH_OID); |
|
236 |
} |
|
237 |
||
238 |
public final Oid getNegotiatedMech() {
|
|
239 |
return (internal_mech); |
|
240 |
} |
|
241 |
||
242 |
public final Provider getProvider() {
|
|
243 |
return SpNegoMechFactory.PROVIDER; |
|
244 |
} |
|
245 |
||
246 |
public final void dispose() throws GSSException {
|
|
247 |
mechContext = null; |
|
248 |
state = STATE_DELETED; |
|
249 |
} |
|
250 |
||
251 |
/** |
|
252 |
* Tests if this is the initiator side of the context. |
|
253 |
* |
|
254 |
* @return boolean indicating if this is initiator (true) |
|
255 |
* or target (false) |
|
256 |
*/ |
|
257 |
public final boolean isInitiator() {
|
|
258 |
return initiator; |
|
259 |
} |
|
260 |
||
261 |
/** |
|
262 |
* Tests if the context can be used for per-message service. |
|
263 |
* Context may allow the calls to the per-message service |
|
264 |
* functions before being fully established. |
|
265 |
* |
|
266 |
* @return boolean indicating if per-message methods can |
|
267 |
* be called. |
|
268 |
*/ |
|
269 |
public final boolean isProtReady() {
|
|
270 |
return (state == STATE_DONE); |
|
271 |
} |
|
272 |
||
273 |
/** |
|
274 |
* Initiator context establishment call. This method may be |
|
275 |
* required to be called several times. A CONTINUE_NEEDED return |
|
276 |
* call indicates that more calls are needed after the next token |
|
277 |
* is received from the peer. |
|
278 |
* |
|
279 |
* @param is contains the token received from the peer. On the |
|
280 |
* first call it will be ignored. |
|
281 |
* @return any token required to be sent to the peer |
|
282 |
* It is responsibility of the caller to send the token |
|
283 |
* to its peer for processing. |
|
284 |
* @exception GSSException |
|
285 |
*/ |
|
286 |
public final byte[] initSecContext(InputStream is, int mechTokenSize) |
|
287 |
throws GSSException {
|
|
288 |
||
289 |
byte[] retVal = null; |
|
290 |
NegTokenInit initToken = null; |
|
291 |
byte[] mechToken = null; |
|
292 |
int errorCode = GSSException.FAILURE; |
|
293 |
||
294 |
if (DEBUG) {
|
|
295 |
System.out.println("Entered SpNego.initSecContext with " +
|
|
296 |
"state=" + printState(state)); |
|
297 |
} |
|
298 |
if (!isInitiator()) {
|
|
299 |
throw new GSSException(GSSException.FAILURE, -1, |
|
300 |
"initSecContext on an acceptor GSSContext"); |
|
301 |
} |
|
302 |
||
303 |
try {
|
|
304 |
if (state == STATE_NEW) {
|
|
305 |
state = STATE_IN_PROCESS; |
|
306 |
||
307 |
errorCode = GSSException.NO_CRED; |
|
308 |
||
309 |
// determine available mech set |
|
310 |
Oid[] mechList = getAvailableMechs(); |
|
311 |
DER_mechTypes = getEncodedMechs(mechList); |
|
312 |
||
313 |
// pull out first mechanism |
|
314 |
internal_mech = mechList[0]; |
|
315 |
||
316 |
// get the token for first mechanism |
|
317 |
mechToken = GSS_initSecContext(null); |
|
318 |
||
319 |
errorCode = GSSException.DEFECTIVE_TOKEN; |
|
320 |
// generate SPNEGO token |
|
321 |
initToken = new NegTokenInit(DER_mechTypes, getContextFlags(), |
|
| 4337 | 322 |
mechToken, null); |
| 2 | 323 |
if (DEBUG) {
|
324 |
System.out.println("SpNegoContext.initSecContext: " +
|
|
325 |
"sending token of type = " + |
|
326 |
SpNegoToken.getTokenName(initToken.getType())); |
|
327 |
} |
|
328 |
// get the encoded token |
|
329 |
retVal = initToken.getEncoded(); |
|
330 |
||
331 |
} else if (state == STATE_IN_PROCESS) {
|
|
332 |
||
333 |
errorCode = GSSException.FAILURE; |
|
334 |
if (is == null) {
|
|
335 |
throw new GSSException(errorCode, -1, |
|
336 |
"No token received from peer!"); |
|
337 |
} |
|
338 |
||
339 |
errorCode = GSSException.DEFECTIVE_TOKEN; |
|
340 |
byte[] server_token = new byte[is.available()]; |
|
341 |
SpNegoToken.readFully(is, server_token); |
|
342 |
if (DEBUG) {
|
|
343 |
System.out.println("SpNegoContext.initSecContext: " +
|
|
344 |
"process received token = " + |
|
345 |
SpNegoToken.getHexBytes(server_token)); |
|
346 |
} |
|
347 |
||
348 |
// read the SPNEGO token |
|
349 |
// token will be validated when parsing |
|
350 |
NegTokenTarg targToken = new NegTokenTarg(server_token); |
|
351 |
||
352 |
if (DEBUG) {
|
|
353 |
System.out.println("SpNegoContext.initSecContext: " +
|
|
354 |
"received token of type = " + |
|
355 |
SpNegoToken.getTokenName(targToken.getType())); |
|
356 |
} |
|
357 |
||
358 |
// pull out mechanism |
|
359 |
internal_mech = targToken.getSupportedMech(); |
|
360 |
if (internal_mech == null) {
|
|
361 |
// return wth failure |
|
362 |
throw new GSSException(errorCode, -1, |
|
363 |
"supported mechansim from server is null"); |
|
364 |
} |
|
365 |
||
366 |
// get the negotiated result |
|
367 |
SpNegoToken.NegoResult negoResult = null; |
|
368 |
int result = targToken.getNegotiatedResult(); |
|
369 |
switch (result) {
|
|
370 |
case 0: |
|
371 |
negoResult = SpNegoToken.NegoResult.ACCEPT_COMPLETE; |
|
372 |
state = STATE_DONE; |
|
373 |
break; |
|
374 |
case 1: |
|
375 |
negoResult = SpNegoToken.NegoResult.ACCEPT_INCOMPLETE; |
|
376 |
state = STATE_IN_PROCESS; |
|
377 |
break; |
|
378 |
case 2: |
|
379 |
negoResult = SpNegoToken.NegoResult.REJECT; |
|
380 |
state = STATE_DELETED; |
|
381 |
break; |
|
382 |
default: |
|
383 |
state = STATE_DONE; |
|
384 |
break; |
|
385 |
} |
|
386 |
||
387 |
errorCode = GSSException.BAD_MECH; |
|
388 |
||
389 |
if (negoResult == SpNegoToken.NegoResult.REJECT) {
|
|
390 |
throw new GSSException(errorCode, -1, |
|
391 |
internal_mech.toString()); |
|
392 |
} |
|
393 |
||
394 |
errorCode = GSSException.DEFECTIVE_TOKEN; |
|
395 |
||
396 |
if ((negoResult == SpNegoToken.NegoResult.ACCEPT_COMPLETE) || |
|
397 |
(negoResult == SpNegoToken.NegoResult.ACCEPT_INCOMPLETE)) {
|
|
398 |
||
399 |
// pull out the mechanism token |
|
400 |
byte[] accept_token = targToken.getResponseToken(); |
|
401 |
if (accept_token == null) {
|
|
| 1574 | 402 |
if (!isMechContextEstablished()) {
|
403 |
// return with failure |
|
404 |
throw new GSSException(errorCode, -1, |
|
405 |
"mechanism token from server is null"); |
|
406 |
} |
|
407 |
} else {
|
|
408 |
mechToken = GSS_initSecContext(accept_token); |
|
| 2 | 409 |
} |
410 |
// verify MIC |
|
411 |
if (!GSSUtil.useMSInterop()) {
|
|
412 |
byte[] micToken = targToken.getMechListMIC(); |
|
413 |
if (!verifyMechListMIC(DER_mechTypes, micToken)) {
|
|
414 |
throw new GSSException(errorCode, -1, |
|
415 |
"verification of MIC on MechList Failed!"); |
|
416 |
} |
|
417 |
} |
|
418 |
if (isMechContextEstablished()) {
|
|
419 |
state = STATE_DONE; |
|
420 |
retVal = mechToken; |
|
421 |
if (DEBUG) {
|
|
422 |
System.out.println("SPNEGO Negotiated Mechanism = "
|
|
423 |
+ internal_mech + " " + |
|
424 |
GSSUtil.getMechStr(internal_mech)); |
|
425 |
} |
|
426 |
} else {
|
|
427 |
// generate SPNEGO token |
|
428 |
initToken = new NegTokenInit(null, null, |
|
429 |
mechToken, null); |
|
430 |
if (DEBUG) {
|
|
431 |
System.out.println("SpNegoContext.initSecContext:" +
|
|
432 |
" continue sending token of type = " + |
|
433 |
SpNegoToken.getTokenName(initToken.getType())); |
|
434 |
} |
|
435 |
// get the encoded token |
|
436 |
retVal = initToken.getEncoded(); |
|
437 |
} |
|
438 |
} |
|
439 |
||
440 |
} else {
|
|
441 |
// XXX Use logging API |
|
442 |
if (DEBUG) {
|
|
443 |
System.out.println(state); |
|
444 |
} |
|
445 |
} |
|
446 |
if (DEBUG) {
|
|
447 |
if (retVal != null) {
|
|
448 |
System.out.println("SNegoContext.initSecContext: " +
|
|
449 |
"sending token = " + SpNegoToken.getHexBytes(retVal)); |
|
450 |
} |
|
451 |
} |
|
452 |
} catch (GSSException e) {
|
|
453 |
GSSException gssException = |
|
454 |
new GSSException(errorCode, -1, e.getMessage()); |
|
455 |
gssException.initCause(e); |
|
456 |
throw gssException; |
|
457 |
} catch (IOException e) {
|
|
458 |
GSSException gssException = |
|
459 |
new GSSException(GSSException.FAILURE, -1, e.getMessage()); |
|
460 |
gssException.initCause(e); |
|
461 |
throw gssException; |
|
462 |
} |
|
463 |
||
464 |
return retVal; |
|
465 |
} |
|
466 |
||
467 |
||
468 |
/** |
|
469 |
* Acceptor's context establishment call. This method may be |
|
470 |
* required to be called several times. A CONTINUE_NEEDED return |
|
471 |
* call indicates that more calls are needed after the next token |
|
472 |
* is received from the peer. |
|
473 |
* |
|
474 |
* @param is contains the token received from the peer. |
|
475 |
* @return any token required to be sent to the peer |
|
476 |
* It is responsibility of the caller to send the token |
|
477 |
* to its peer for processing. |
|
478 |
* @exception GSSException |
|
479 |
*/ |
|
480 |
public final byte[] acceptSecContext(InputStream is, int mechTokenSize) |
|
481 |
throws GSSException {
|
|
482 |
||
483 |
byte[] retVal = null; |
|
484 |
SpNegoToken.NegoResult negoResult; |
|
485 |
boolean valid = true; |
|
486 |
||
487 |
if (DEBUG) {
|
|
488 |
System.out.println("Entered SpNegoContext.acceptSecContext with " +
|
|
489 |
"state=" + printState(state)); |
|
490 |
} |
|
491 |
||
492 |
if (isInitiator()) {
|
|
493 |
throw new GSSException(GSSException.FAILURE, -1, |
|
494 |
"acceptSecContext on an initiator " + |
|
495 |
"GSSContext"); |
|
496 |
} |
|
497 |
try {
|
|
498 |
if (state == STATE_NEW) {
|
|
499 |
state = STATE_IN_PROCESS; |
|
500 |
||
501 |
// read data |
|
502 |
byte[] token = new byte[is.available()]; |
|
503 |
SpNegoToken.readFully(is, token); |
|
504 |
if (DEBUG) {
|
|
505 |
System.out.println("SpNegoContext.acceptSecContext: " +
|
|
506 |
"receiving token = " + |
|
507 |
SpNegoToken.getHexBytes(token)); |
|
508 |
} |
|
509 |
||
510 |
// read the SPNEGO token |
|
511 |
// token will be validated when parsing |
|
512 |
NegTokenInit initToken = new NegTokenInit(token); |
|
513 |
||
514 |
if (DEBUG) {
|
|
515 |
System.out.println("SpNegoContext.acceptSecContext: " +
|
|
516 |
"received token of type = " + |
|
517 |
SpNegoToken.getTokenName(initToken.getType())); |
|
518 |
} |
|
519 |
||
520 |
Oid[] mechList = initToken.getMechTypeList(); |
|
521 |
DER_mechTypes = initToken.getMechTypes(); |
|
522 |
if (DER_mechTypes == null) {
|
|
523 |
valid = false; |
|
524 |
} |
|
525 |
||
526 |
// get the mechanism token |
|
527 |
byte[] mechToken = initToken.getMechToken(); |
|
528 |
||
529 |
/* |
|
530 |
* Select the best match between the list of mechs |
|
531 |
* that the initiator requested and the list that |
|
532 |
* the acceptor will support. |
|
533 |
*/ |
|
534 |
Oid[] supported_mechSet = getAvailableMechs(); |
|
535 |
Oid mech_wanted = |
|
536 |
negotiate_mech_type(supported_mechSet, mechList); |
|
537 |
if (mech_wanted == null) {
|
|
538 |
valid = false; |
|
539 |
} |
|
540 |
// save the desired mechansim |
|
541 |
internal_mech = mech_wanted; |
|
542 |
||
543 |
// get the token for mechanism |
|
544 |
byte[] accept_token = GSS_acceptSecContext(mechToken); |
|
545 |
||
546 |
// verify MIC |
|
547 |
if (!GSSUtil.useMSInterop() && valid) {
|
|
548 |
valid = verifyMechListMIC(DER_mechTypes, |
|
549 |
initToken.getMechListMIC()); |
|
550 |
} |
|
551 |
||
552 |
// determine negotiated result status |
|
553 |
if (valid) {
|
|
554 |
if (isMechContextEstablished()) {
|
|
555 |
negoResult = SpNegoToken.NegoResult.ACCEPT_COMPLETE; |
|
556 |
state = STATE_DONE; |
|
557 |
// now set the context flags for acceptor |
|
558 |
setContextFlags(); |
|
559 |
// print the negotiated mech info |
|
560 |
if (DEBUG) {
|
|
561 |
System.out.println("SPNEGO Negotiated Mechanism = "
|
|
562 |
+ internal_mech + " " + |
|
563 |
GSSUtil.getMechStr(internal_mech)); |
|
564 |
} |
|
565 |
} else {
|
|
566 |
negoResult = SpNegoToken.NegoResult.ACCEPT_INCOMPLETE; |
|
567 |
state = STATE_IN_PROCESS; |
|
568 |
} |
|
569 |
} else {
|
|
570 |
negoResult = SpNegoToken.NegoResult.REJECT; |
|
571 |
state = STATE_DONE; |
|
572 |
} |
|
573 |
||
574 |
if (DEBUG) {
|
|
575 |
System.out.println("SpNegoContext.acceptSecContext: " +
|
|
576 |
"mechanism wanted = " + mech_wanted); |
|
577 |
System.out.println("SpNegoContext.acceptSecContext: " +
|
|
578 |
"negotiated result = " + negoResult); |
|
579 |
} |
|
580 |
||
581 |
// generate SPNEGO token |
|
582 |
NegTokenTarg targToken = new NegTokenTarg(negoResult.ordinal(), |
|
| 4337 | 583 |
mech_wanted, accept_token, null); |
| 2 | 584 |
if (DEBUG) {
|
585 |
System.out.println("SpNegoContext.acceptSecContext: " +
|
|
586 |
"sending token of type = " + |
|
587 |
SpNegoToken.getTokenName(targToken.getType())); |
|
588 |
} |
|
589 |
// get the encoded token |
|
590 |
retVal = targToken.getEncoded(); |
|
591 |
||
592 |
} else if (state == STATE_IN_PROCESS) {
|
|
593 |
// read the token |
|
594 |
byte[] client_token = new byte[is.available()]; |
|
595 |
SpNegoToken.readFully(is, client_token); |
|
596 |
byte[] accept_token = GSS_acceptSecContext(client_token); |
|
597 |
if (accept_token == null) {
|
|
598 |
valid = false; |
|
599 |
} |
|
600 |
||
601 |
// determine negotiated result status |
|
602 |
if (valid) {
|
|
603 |
if (isMechContextEstablished()) {
|
|
604 |
negoResult = SpNegoToken.NegoResult.ACCEPT_COMPLETE; |
|
605 |
state = STATE_DONE; |
|
606 |
} else {
|
|
607 |
negoResult = SpNegoToken.NegoResult.ACCEPT_INCOMPLETE; |
|
608 |
state = STATE_IN_PROCESS; |
|
609 |
} |
|
610 |
} else {
|
|
611 |
negoResult = SpNegoToken.NegoResult.REJECT; |
|
612 |
state = STATE_DONE; |
|
613 |
} |
|
614 |
||
615 |
// generate SPNEGO token |
|
616 |
NegTokenTarg targToken = new NegTokenTarg(negoResult.ordinal(), |
|
617 |
null, accept_token, null); |
|
618 |
if (DEBUG) {
|
|
619 |
System.out.println("SpNegoContext.acceptSecContext: " +
|
|
620 |
"sending token of type = " + |
|
621 |
SpNegoToken.getTokenName(targToken.getType())); |
|
622 |
} |
|
623 |
// get the encoded token |
|
624 |
retVal = targToken.getEncoded(); |
|
625 |
||
626 |
} else {
|
|
627 |
// XXX Use logging API |
|
628 |
if (DEBUG) {
|
|
629 |
System.out.println("AcceptSecContext: state = " + state);
|
|
630 |
} |
|
631 |
} |
|
632 |
if (DEBUG) {
|
|
633 |
System.out.println("SpNegoContext.acceptSecContext: " +
|
|
634 |
"sending token = " + SpNegoToken.getHexBytes(retVal)); |
|
635 |
} |
|
636 |
} catch (IOException e) {
|
|
637 |
GSSException gssException = |
|
638 |
new GSSException(GSSException.FAILURE, -1, e.getMessage()); |
|
639 |
gssException.initCause(e); |
|
640 |
throw gssException; |
|
641 |
} |
|
642 |
||
| 4336 | 643 |
if (state == STATE_DONE) {
|
644 |
// now set the context flags for acceptor |
|
645 |
setContextFlags(); |
|
646 |
} |
|
| 2 | 647 |
return retVal; |
648 |
} |
|
649 |
||
650 |
/** |
|
651 |
* obtain the available mechanisms |
|
652 |
*/ |
|
653 |
private Oid[] getAvailableMechs() {
|
|
654 |
if (myCred != null) {
|
|
655 |
Oid[] mechs = new Oid[1]; |
|
656 |
mechs[0] = myCred.getInternalMech(); |
|
657 |
return mechs; |
|
658 |
} else {
|
|
659 |
return factory.availableMechs; |
|
660 |
} |
|
661 |
} |
|
662 |
||
663 |
/** |
|
664 |
* get ther DER encoded MechList |
|
665 |
*/ |
|
666 |
private byte[] getEncodedMechs(Oid[] mechSet) |
|
667 |
throws IOException, GSSException {
|
|
668 |
||
669 |
DerOutputStream mech = new DerOutputStream(); |
|
670 |
for (int i = 0; i < mechSet.length; i++) {
|
|
671 |
byte[] mechType = mechSet[i].getDER(); |
|
672 |
mech.write(mechType); |
|
673 |
} |
|
674 |
// insert in SEQUENCE |
|
675 |
DerOutputStream mechTypeList = new DerOutputStream(); |
|
676 |
mechTypeList.write(DerValue.tag_Sequence, mech); |
|
677 |
byte[] encoded = mechTypeList.toByteArray(); |
|
678 |
return encoded; |
|
679 |
} |
|
680 |
||
681 |
/** |
|
682 |
* get the context flags |
|
683 |
*/ |
|
|
2279
e5639c0d8552
6815182: GSSAPI/SPNEGO does not work with server using MIT Kerberos library
weijun
parents:
1574
diff
changeset
|
684 |
private BitArray getContextFlags() {
|
|
e5639c0d8552
6815182: GSSAPI/SPNEGO does not work with server using MIT Kerberos library
weijun
parents:
1574
diff
changeset
|
685 |
BitArray out = new BitArray(7); |
| 2 | 686 |
|
|
2279
e5639c0d8552
6815182: GSSAPI/SPNEGO does not work with server using MIT Kerberos library
weijun
parents:
1574
diff
changeset
|
687 |
if (getCredDelegState()) out.set(0, true); |
|
e5639c0d8552
6815182: GSSAPI/SPNEGO does not work with server using MIT Kerberos library
weijun
parents:
1574
diff
changeset
|
688 |
if (getMutualAuthState()) out.set(1, true); |
|
e5639c0d8552
6815182: GSSAPI/SPNEGO does not work with server using MIT Kerberos library
weijun
parents:
1574
diff
changeset
|
689 |
if (getReplayDetState()) out.set(2, true); |
|
e5639c0d8552
6815182: GSSAPI/SPNEGO does not work with server using MIT Kerberos library
weijun
parents:
1574
diff
changeset
|
690 |
if (getSequenceDetState()) out.set(3, true); |
|
e5639c0d8552
6815182: GSSAPI/SPNEGO does not work with server using MIT Kerberos library
weijun
parents:
1574
diff
changeset
|
691 |
if (getConfState()) out.set(5, true); |
|
e5639c0d8552
6815182: GSSAPI/SPNEGO does not work with server using MIT Kerberos library
weijun
parents:
1574
diff
changeset
|
692 |
if (getIntegState()) out.set(6, true); |
| 2 | 693 |
|
|
2279
e5639c0d8552
6815182: GSSAPI/SPNEGO does not work with server using MIT Kerberos library
weijun
parents:
1574
diff
changeset
|
694 |
return out; |
| 2 | 695 |
} |
696 |
||
| 4336 | 697 |
// Only called on acceptor side. On the initiator side, most flags |
698 |
// are already set at request. For those that might get chanegd, |
|
699 |
// state from mech below is used. |
|
| 2 | 700 |
private void setContextFlags() {
|
701 |
||
702 |
if (mechContext != null) {
|
|
703 |
// default for cred delegation is false |
|
704 |
if (mechContext.getCredDelegState()) {
|
|
| 4336 | 705 |
credDelegState = true; |
| 2 | 706 |
} |
707 |
// default for the following are true |
|
708 |
if (!mechContext.getMutualAuthState()) {
|
|
| 4336 | 709 |
mutualAuthState = false; |
| 2 | 710 |
} |
711 |
if (!mechContext.getReplayDetState()) {
|
|
| 4336 | 712 |
replayDetState = false; |
| 2 | 713 |
} |
714 |
if (!mechContext.getSequenceDetState()) {
|
|
| 4336 | 715 |
sequenceDetState = false; |
| 2 | 716 |
} |
717 |
if (!mechContext.getIntegState()) {
|
|
| 4336 | 718 |
integState = false; |
| 2 | 719 |
} |
720 |
if (!mechContext.getConfState()) {
|
|
| 4336 | 721 |
confState = false; |
| 2 | 722 |
} |
723 |
} |
|
724 |
} |
|
725 |
||
726 |
/** |
|
| 4337 | 727 |
* generate MIC on mechList. Not used at the moment. |
| 2 | 728 |
*/ |
| 4337 | 729 |
/*private byte[] generateMechListMIC(byte[] mechTypes) |
| 2 | 730 |
throws GSSException {
|
731 |
||
732 |
// sanity check the required input |
|
733 |
if (mechTypes == null) {
|
|
734 |
if (DEBUG) {
|
|
735 |
System.out.println("SpNegoContext: no MIC token included");
|
|
736 |
} |
|
737 |
return null; |
|
738 |
} |
|
739 |
||
740 |
// check if mechansim supports integrity |
|
741 |
if (!mechContext.getIntegState()) {
|
|
742 |
if (DEBUG) {
|
|
743 |
System.out.println("SpNegoContext: no MIC token included" +
|
|
744 |
" - mechanism does not support integrity"); |
|
745 |
} |
|
746 |
return null; |
|
747 |
} |
|
748 |
||
749 |
// compute MIC on DER encoded mechanism list |
|
750 |
byte[] mic = null; |
|
751 |
try {
|
|
752 |
MessageProp prop = new MessageProp(0, true); |
|
753 |
mic = getMIC(mechTypes, 0, mechTypes.length, prop); |
|
754 |
if (DEBUG) {
|
|
755 |
System.out.println("SpNegoContext: getMIC = " +
|
|
756 |
SpNegoToken.getHexBytes(mic)); |
|
757 |
} |
|
758 |
} catch (GSSException e) {
|
|
759 |
mic = null; |
|
760 |
if (DEBUG) {
|
|
761 |
System.out.println("SpNegoContext: no MIC token included" +
|
|
762 |
" - getMIC failed : " + e.getMessage()); |
|
763 |
} |
|
764 |
} |
|
765 |
return mic; |
|
| 4337 | 766 |
}*/ |
| 2 | 767 |
|
768 |
/** |
|
769 |
* verify MIC on MechList |
|
770 |
*/ |
|
771 |
private boolean verifyMechListMIC(byte[] mechTypes, byte[] token) |
|
772 |
throws GSSException {
|
|
773 |
||
774 |
// sanity check the input |
|
775 |
if (token == null) {
|
|
776 |
if (DEBUG) {
|
|
777 |
System.out.println("SpNegoContext: no MIC token validation");
|
|
778 |
} |
|
779 |
return true; |
|
780 |
} |
|
781 |
||
782 |
// check if mechansim supports integrity |
|
783 |
if (!mechContext.getIntegState()) {
|
|
784 |
if (DEBUG) {
|
|
785 |
System.out.println("SpNegoContext: no MIC token validation" +
|
|
786 |
" - mechanism does not support integrity"); |
|
787 |
} |
|
788 |
return true; |
|
789 |
} |
|
790 |
||
791 |
// now verify the token |
|
792 |
boolean valid = false; |
|
793 |
try {
|
|
794 |
MessageProp prop = new MessageProp(0, true); |
|
795 |
verifyMIC(token, 0, token.length, mechTypes, |
|
796 |
0, mechTypes.length, prop); |
|
797 |
valid = true; |
|
798 |
} catch (GSSException e) {
|
|
799 |
valid = false; |
|
800 |
if (DEBUG) {
|
|
801 |
System.out.println("SpNegoContext: MIC validation failed! " +
|
|
802 |
e.getMessage()); |
|
803 |
} |
|
804 |
} |
|
805 |
return valid; |
|
806 |
} |
|
807 |
||
808 |
/** |
|
809 |
* call gss_init_sec_context for the corresponding underlying mechanism |
|
810 |
*/ |
|
811 |
private byte[] GSS_initSecContext(byte[] token) throws GSSException {
|
|
812 |
byte[] tok = null; |
|
813 |
||
814 |
if (mechContext == null) {
|
|
815 |
// initialize mech context |
|
816 |
GSSName serverName = |
|
817 |
factory.manager.createName(peerName.toString(), |
|
818 |
peerName.getStringNameType(), internal_mech); |
|
819 |
GSSCredential cred = null; |
|
820 |
if (myCred != null) {
|
|
821 |
// create context with provided credential |
|
822 |
cred = new GSSCredentialImpl(factory.manager, |
|
823 |
myCred.getInternalCred()); |
|
824 |
} |
|
825 |
mechContext = |
|
826 |
factory.manager.createContext(serverName, |
|
827 |
internal_mech, cred, GSSContext.DEFAULT_LIFETIME); |
|
828 |
mechContext.requestConf(confState); |
|
829 |
mechContext.requestInteg(integState); |
|
830 |
mechContext.requestCredDeleg(credDelegState); |
|
831 |
mechContext.requestMutualAuth(mutualAuthState); |
|
832 |
mechContext.requestReplayDet(replayDetState); |
|
833 |
mechContext.requestSequenceDet(sequenceDetState); |
|
| 4336 | 834 |
if (mechContext instanceof ExtendedGSSContext) {
|
835 |
((ExtendedGSSContext)mechContext).requestDelegPolicy( |
|
836 |
delegPolicyState); |
|
837 |
} |
|
| 2 | 838 |
} |
839 |
||
840 |
// pass token |
|
841 |
if (token != null) {
|
|
842 |
tok = token; |
|
843 |
} else {
|
|
844 |
tok = new byte[0]; |
|
845 |
} |
|
846 |
||
847 |
// pass token to mechanism initSecContext |
|
848 |
byte[] init_token = mechContext.initSecContext(tok, 0, tok.length); |
|
849 |
||
850 |
return init_token; |
|
851 |
} |
|
852 |
||
853 |
/** |
|
854 |
* call gss_accept_sec_context for the corresponding underlying mechanism |
|
855 |
*/ |
|
856 |
private byte[] GSS_acceptSecContext(byte[] token) throws GSSException {
|
|
857 |
||
858 |
if (mechContext == null) {
|
|
859 |
// initialize mech context |
|
860 |
GSSCredential cred = null; |
|
861 |
if (myCred != null) {
|
|
862 |
// create context with provided credential |
|
863 |
cred = new GSSCredentialImpl(factory.manager, |
|
864 |
myCred.getInternalCred()); |
|
865 |
} |
|
866 |
mechContext = |
|
867 |
factory.manager.createContext(cred); |
|
868 |
} |
|
869 |
||
870 |
// pass token to mechanism acceptSecContext |
|
871 |
byte[] accept_token = |
|
872 |
mechContext.acceptSecContext(token, 0, token.length); |
|
873 |
||
874 |
return accept_token; |
|
875 |
} |
|
876 |
||
877 |
/** |
|
878 |
* This routine compares the recieved mechset to the mechset that |
|
879 |
* this server can support. It looks sequentially through the mechset |
|
880 |
* and the first one that matches what the server can support is |
|
881 |
* chosen as the negotiated mechanism. If one is found, negResult |
|
882 |
* is set to ACCEPT_COMPLETE, otherwise we return NULL and negResult |
|
883 |
* is set to REJECT. |
|
884 |
*/ |
|
885 |
private static Oid negotiate_mech_type(Oid[] supported_mechSet, |
|
886 |
Oid[] mechSet) {
|
|
887 |
for (int i = 0; i < supported_mechSet.length; i++) {
|
|
888 |
for (int j = 0; j < mechSet.length; j++) {
|
|
889 |
if (mechSet[j].equals(supported_mechSet[i])) {
|
|
890 |
if (DEBUG) {
|
|
891 |
System.out.println("SpNegoContext: " +
|
|
892 |
"negotiated mechanism = " + mechSet[j]); |
|
893 |
} |
|
894 |
return (mechSet[j]); |
|
895 |
} |
|
896 |
} |
|
897 |
} |
|
898 |
return null; |
|
899 |
} |
|
900 |
||
901 |
public final boolean isEstablished() {
|
|
902 |
return (state == STATE_DONE); |
|
903 |
} |
|
904 |
||
905 |
public final boolean isMechContextEstablished() {
|
|
906 |
if (mechContext != null) {
|
|
907 |
return mechContext.isEstablished(); |
|
908 |
} else {
|
|
909 |
if (DEBUG) {
|
|
910 |
System.out.println("The underlying mechansim context has " +
|
|
911 |
"not been initialized"); |
|
912 |
} |
|
913 |
return false; |
|
914 |
} |
|
915 |
} |
|
916 |
||
917 |
public final byte [] export() throws GSSException {
|
|
918 |
throw new GSSException(GSSException.UNAVAILABLE, -1, |
|
919 |
"GSS Export Context not available"); |
|
920 |
} |
|
921 |
||
922 |
/** |
|
923 |
* Sets the channel bindings to be used during context |
|
924 |
* establishment. |
|
925 |
*/ |
|
926 |
public final void setChannelBinding(ChannelBinding channelBinding) |
|
927 |
throws GSSException {
|
|
928 |
this.channelBinding = channelBinding; |
|
929 |
} |
|
930 |
||
931 |
final ChannelBinding getChannelBinding() {
|
|
932 |
return channelBinding; |
|
933 |
} |
|
934 |
||
935 |
/* |
|
936 |
* Anonymity is a little different in that after an application |
|
937 |
* requests anonymity it will want to know whether the mechanism |
|
938 |
* can support it or not, prior to sending any tokens across for |
|
939 |
* context establishment. Since this is from the initiator's |
|
940 |
* perspective, it essentially requests that the initiator be |
|
941 |
* anonymous. |
|
942 |
*/ |
|
943 |
public final void requestAnonymity(boolean value) throws GSSException {
|
|
944 |
// Ignore silently. Application will check back with |
|
945 |
// getAnonymityState. |
|
946 |
} |
|
947 |
||
948 |
// RFC 2853 actually calls for this to be called after context |
|
949 |
// establishment to get the right answer, but that is |
|
950 |
// incorrect. The application may not want to send over any |
|
951 |
// tokens if anonymity is not available. |
|
952 |
public final boolean getAnonymityState() {
|
|
953 |
return false; |
|
954 |
} |
|
955 |
||
956 |
/** |
|
957 |
* Requests the desired lifetime. Can only be used on the context |
|
958 |
* initiator's side. |
|
959 |
*/ |
|
960 |
public void requestLifetime(int lifetime) throws GSSException {
|
|
961 |
if (state == STATE_NEW && isInitiator()) |
|
962 |
this.lifetime = lifetime; |
|
963 |
} |
|
964 |
||
965 |
/** |
|
966 |
* The lifetime remaining for this context. |
|
967 |
*/ |
|
968 |
public final int getLifetime() {
|
|
969 |
if (mechContext != null) {
|
|
970 |
return mechContext.getLifetime(); |
|
971 |
} else {
|
|
972 |
return GSSContext.INDEFINITE_LIFETIME; |
|
973 |
} |
|
974 |
} |
|
975 |
||
976 |
public final boolean isTransferable() throws GSSException {
|
|
977 |
return false; |
|
978 |
} |
|
979 |
||
980 |
/** |
|
981 |
* Requests that sequence checking be done on the GSS wrap and MIC |
|
982 |
* tokens. |
|
983 |
*/ |
|
984 |
public final void requestSequenceDet(boolean value) throws GSSException {
|
|
985 |
if (state == STATE_NEW && isInitiator()) |
|
986 |
sequenceDetState = value; |
|
987 |
} |
|
988 |
||
989 |
/** |
|
990 |
* Is sequence checking enabled on the GSS Wrap and MIC tokens? |
|
991 |
* We enable sequence checking if replay detection is enabled. |
|
992 |
*/ |
|
993 |
public final boolean getSequenceDetState() {
|
|
994 |
return sequenceDetState || replayDetState; |
|
995 |
} |
|
996 |
||
997 |
/** |
|
998 |
* Requests that replay detection be done on the GSS wrap and MIC |
|
999 |
* tokens. |
|
1000 |
*/ |
|
1001 |
public final void requestReplayDet(boolean value) throws GSSException {
|
|
1002 |
if (state == STATE_NEW && isInitiator()) |
|
1003 |
replayDetState = value; |
|
1004 |
} |
|
1005 |
||
1006 |
/** |
|
1007 |
* Is replay detection enabled on the GSS wrap and MIC tokens? |
|
1008 |
* We enable replay detection if sequence checking is enabled. |
|
1009 |
*/ |
|
1010 |
public final boolean getReplayDetState() {
|
|
1011 |
return replayDetState || sequenceDetState; |
|
1012 |
} |
|
1013 |
||
1014 |
public final GSSNameSpi getTargName() throws GSSException {
|
|
1015 |
// fill-in the GSSName |
|
1016 |
// get the peer name for the mechanism |
|
1017 |
if (mechContext != null) {
|
|
1018 |
GSSNameImpl targName = (GSSNameImpl)mechContext.getTargName(); |
|
1019 |
peerName = (GSSNameSpi) targName.getElement(internal_mech); |
|
1020 |
return peerName; |
|
1021 |
} else {
|
|
1022 |
if (DEBUG) {
|
|
1023 |
System.out.println("The underlying mechansim context has " +
|
|
1024 |
"not been initialized"); |
|
1025 |
} |
|
1026 |
return null; |
|
1027 |
} |
|
1028 |
} |
|
1029 |
||
1030 |
public final GSSNameSpi getSrcName() throws GSSException {
|
|
1031 |
// fill-in the GSSName |
|
1032 |
// get the src name for the mechanism |
|
1033 |
if (mechContext != null) {
|
|
1034 |
GSSNameImpl srcName = (GSSNameImpl)mechContext.getSrcName(); |
|
1035 |
myName = (GSSNameSpi) srcName.getElement(internal_mech); |
|
1036 |
return myName; |
|
1037 |
} else {
|
|
1038 |
if (DEBUG) {
|
|
1039 |
System.out.println("The underlying mechansim context has " +
|
|
1040 |
"not been initialized"); |
|
1041 |
} |
|
1042 |
return null; |
|
1043 |
} |
|
1044 |
} |
|
1045 |
||
1046 |
/** |
|
1047 |
* Returns the delegated credential for the context. This |
|
1048 |
* is an optional feature of contexts which not all |
|
1049 |
* mechanisms will support. A context can be requested to |
|
1050 |
* support credential delegation by using the <b>CRED_DELEG</b>. |
|
1051 |
* This is only valid on the acceptor side of the context. |
|
1052 |
* @return GSSCredentialSpi object for the delegated credential |
|
1053 |
* @exception GSSException |
|
1054 |
* @see GSSContext#getDelegCredState |
|
1055 |
*/ |
|
1056 |
public final GSSCredentialSpi getDelegCred() throws GSSException {
|
|
1057 |
if (state != STATE_IN_PROCESS && state != STATE_DONE) |
|
1058 |
throw new GSSException(GSSException.NO_CONTEXT); |
|
1059 |
if (mechContext != null) {
|
|
1060 |
GSSCredentialImpl delegCred = |
|
1061 |
(GSSCredentialImpl)mechContext.getDelegCred(); |
|
1062 |
// determine delegated cred element usage |
|
1063 |
boolean initiate = false; |
|
1064 |
if (delegCred.getUsage() == GSSCredential.INITIATE_ONLY) {
|
|
1065 |
initiate = true; |
|
1066 |
} |
|
1067 |
GSSCredentialSpi mechCred = (GSSCredentialSpi) |
|
1068 |
delegCred.getElement(internal_mech, initiate); |
|
1069 |
SpNegoCredElement cred = new SpNegoCredElement(mechCred); |
|
1070 |
return cred.getInternalCred(); |
|
1071 |
} else {
|
|
1072 |
throw new GSSException(GSSException.NO_CONTEXT, -1, |
|
1073 |
"getDelegCred called in invalid state!"); |
|
1074 |
} |
|
1075 |
} |
|
1076 |
||
1077 |
public final int getWrapSizeLimit(int qop, boolean confReq, |
|
1078 |
int maxTokSize) throws GSSException {
|
|
1079 |
if (mechContext != null) {
|
|
1080 |
return mechContext.getWrapSizeLimit(qop, confReq, maxTokSize); |
|
1081 |
} else {
|
|
1082 |
throw new GSSException(GSSException.NO_CONTEXT, -1, |
|
1083 |
"getWrapSizeLimit called in invalid state!"); |
|
1084 |
} |
|
1085 |
} |
|
1086 |
||
1087 |
public final byte[] wrap(byte inBuf[], int offset, int len, |
|
1088 |
MessageProp msgProp) throws GSSException {
|
|
1089 |
if (mechContext != null) {
|
|
1090 |
return mechContext.wrap(inBuf, offset, len, msgProp); |
|
1091 |
} else {
|
|
1092 |
throw new GSSException(GSSException.NO_CONTEXT, -1, |
|
1093 |
"Wrap called in invalid state!"); |
|
1094 |
} |
|
1095 |
} |
|
1096 |
||
1097 |
public final void wrap(InputStream is, OutputStream os, |
|
1098 |
MessageProp msgProp) throws GSSException {
|
|
1099 |
if (mechContext != null) {
|
|
1100 |
mechContext.wrap(is, os, msgProp); |
|
1101 |
} else {
|
|
1102 |
throw new GSSException(GSSException.NO_CONTEXT, -1, |
|
1103 |
"Wrap called in invalid state!"); |
|
1104 |
} |
|
1105 |
} |
|
1106 |
||
1107 |
public final byte[] unwrap(byte inBuf[], int offset, int len, |
|
1108 |
MessageProp msgProp) |
|
1109 |
throws GSSException {
|
|
1110 |
if (mechContext != null) {
|
|
1111 |
return mechContext.unwrap(inBuf, offset, len, msgProp); |
|
1112 |
} else {
|
|
1113 |
throw new GSSException(GSSException.NO_CONTEXT, -1, |
|
1114 |
"UnWrap called in invalid state!"); |
|
1115 |
} |
|
1116 |
} |
|
1117 |
||
1118 |
public final void unwrap(InputStream is, OutputStream os, |
|
1119 |
MessageProp msgProp) throws GSSException {
|
|
1120 |
if (mechContext != null) {
|
|
1121 |
mechContext.unwrap(is, os, msgProp); |
|
1122 |
} else {
|
|
1123 |
throw new GSSException(GSSException.NO_CONTEXT, -1, |
|
1124 |
"UnWrap called in invalid state!"); |
|
1125 |
} |
|
1126 |
} |
|
1127 |
||
1128 |
public final byte[] getMIC(byte []inMsg, int offset, int len, |
|
1129 |
MessageProp msgProp) |
|
1130 |
throws GSSException {
|
|
1131 |
if (mechContext != null) {
|
|
1132 |
return mechContext.getMIC(inMsg, offset, len, msgProp); |
|
1133 |
} else {
|
|
1134 |
throw new GSSException(GSSException.NO_CONTEXT, -1, |
|
1135 |
"getMIC called in invalid state!"); |
|
1136 |
} |
|
1137 |
} |
|
1138 |
||
1139 |
public final void getMIC(InputStream is, OutputStream os, |
|
1140 |
MessageProp msgProp) throws GSSException {
|
|
1141 |
if (mechContext != null) {
|
|
1142 |
mechContext.getMIC(is, os, msgProp); |
|
1143 |
} else {
|
|
1144 |
throw new GSSException(GSSException.NO_CONTEXT, -1, |
|
1145 |
"getMIC called in invalid state!"); |
|
1146 |
} |
|
1147 |
} |
|
1148 |
||
1149 |
public final void verifyMIC(byte []inTok, int tokOffset, int tokLen, |
|
1150 |
byte[] inMsg, int msgOffset, int msgLen, |
|
1151 |
MessageProp msgProp) |
|
1152 |
throws GSSException {
|
|
1153 |
if (mechContext != null) {
|
|
1154 |
mechContext.verifyMIC(inTok, tokOffset, tokLen, inMsg, msgOffset, |
|
1155 |
msgLen, msgProp); |
|
1156 |
} else {
|
|
1157 |
throw new GSSException(GSSException.NO_CONTEXT, -1, |
|
1158 |
"verifyMIC called in invalid state!"); |
|
1159 |
} |
|
1160 |
} |
|
1161 |
||
1162 |
public final void verifyMIC(InputStream is, InputStream msgStr, |
|
1163 |
MessageProp msgProp) throws GSSException {
|
|
1164 |
if (mechContext != null) {
|
|
1165 |
mechContext.verifyMIC(is, msgStr, msgProp); |
|
1166 |
} else {
|
|
1167 |
throw new GSSException(GSSException.NO_CONTEXT, -1, |
|
1168 |
"verifyMIC called in invalid state!"); |
|
1169 |
} |
|
1170 |
} |
|
1171 |
||
1172 |
private static String printState(int state) {
|
|
1173 |
switch (state) {
|
|
1174 |
case STATE_NEW: |
|
1175 |
return ("STATE_NEW");
|
|
1176 |
case STATE_IN_PROCESS: |
|
1177 |
return ("STATE_IN_PROCESS");
|
|
1178 |
case STATE_DONE: |
|
1179 |
return ("STATE_DONE");
|
|
1180 |
case STATE_DELETED: |
|
1181 |
return ("STATE_DELETED");
|
|
1182 |
default: |
|
1183 |
return ("Unknown state " + state);
|
|
1184 |
} |
|
1185 |
} |
|
|
3482
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2279
diff
changeset
|
1186 |
|
|
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2279
diff
changeset
|
1187 |
/** |
|
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2279
diff
changeset
|
1188 |
* Retrieve attribute of the context for {@code type}.
|
|
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2279
diff
changeset
|
1189 |
*/ |
|
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2279
diff
changeset
|
1190 |
public Object inquireSecContext(InquireType type) |
|
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2279
diff
changeset
|
1191 |
throws GSSException {
|
|
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2279
diff
changeset
|
1192 |
if (mechContext == null) {
|
|
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2279
diff
changeset
|
1193 |
throw new GSSException(GSSException.NO_CONTEXT, -1, |
|
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2279
diff
changeset
|
1194 |
"Underlying mech not established."); |
|
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2279
diff
changeset
|
1195 |
} |
|
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2279
diff
changeset
|
1196 |
if (mechContext instanceof ExtendedGSSContext) {
|
|
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2279
diff
changeset
|
1197 |
return ((ExtendedGSSContext)mechContext).inquireSecContext(type); |
|
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2279
diff
changeset
|
1198 |
} else {
|
|
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2279
diff
changeset
|
1199 |
throw new GSSException(GSSException.BAD_MECH, -1, |
|
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2279
diff
changeset
|
1200 |
"inquireSecContext not supported by underlying mech."); |
|
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2279
diff
changeset
|
1201 |
} |
|
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2279
diff
changeset
|
1202 |
} |
| 4336 | 1203 |
} |
|
3482
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2279
diff
changeset
|
1204 |