author | weijun |
Wed, 28 Sep 2011 14:21:10 +0800 | |
changeset 10696 | 3811a12690ce |
parent 7801 | 814c8359b104 |
child 10697 | ecee258b7d87 |
permissions | -rw-r--r-- |
2 | 1 |
/* |
7801
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
2 |
* Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved. |
2 | 3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
5506 | 7 |
* published by the Free Software Foundation. Oracle designates this |
2 | 8 |
* particular file as subject to the "Classpath" exception as provided |
5506 | 9 |
* by Oracle in the LICENSE file that accompanied this code. |
2 | 10 |
* |
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
15 |
* accompanied this code). |
|
16 |
* |
|
17 |
* You should have received a copy of the GNU General Public License version |
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 |
* |
|
5506 | 21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
22 |
* or visit www.oracle.com if you need additional information or have any |
|
23 |
* questions. |
|
2 | 24 |
*/ |
25 |
||
26 |
package sun.security.jgss.krb5; |
|
27 |
||
28 |
import org.ietf.jgss.*; |
|
29 |
import java.io.InputStream; |
|
30 |
import java.io.OutputStream; |
|
31 |
import java.io.IOException; |
|
32 |
import java.io.ByteArrayInputStream; |
|
7801
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
33 |
import java.io.ByteArrayOutputStream; |
2 | 34 |
import java.security.MessageDigest; |
7801
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
35 |
import java.util.Arrays; |
2 | 36 |
|
37 |
/** |
|
38 |
* This class is a base class for new GSS token definitions, as defined |
|
7801
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
39 |
* in RFC 4121, that pertain to per-message GSS-API calls. Conceptually |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
40 |
* GSS-API has two types of per-message tokens: WrapToken and MicToken. |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
41 |
* They differ in the respect that a WrapToken carries additional plaintext |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
42 |
* or ciphertext application data besides just the sequence number and |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
43 |
* checksum. This class encapsulates the commonality in the structure of |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
44 |
* the WrapToken and the MicToken. This structure can be represented as: |
2 | 45 |
* <p> |
46 |
* <pre> |
|
7801
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
47 |
* Wrap Tokens |
2 | 48 |
* |
49 |
* Octet no Name Description |
|
50 |
* --------------------------------------------------------------- |
|
51 |
* 0..1 TOK_ID Identification field. Tokens emitted by |
|
7801
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
52 |
* GSS_Wrap() contain the hex value 05 04 |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
53 |
* expressed in big-endian order in this field. |
2 | 54 |
* 2 Flags Attributes field, as described in section |
55 |
* 4.2.2. |
|
56 |
* 3 Filler Contains the hex value FF. |
|
7801
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
57 |
* 4..5 EC Contains the "extra count" field, in big- |
2 | 58 |
* endian order as described in section 4.2.3. |
59 |
* 6..7 RRC Contains the "right rotation count" in big |
|
60 |
* endian order, as described in section 4.2.5. |
|
61 |
* 8..15 SND_SEQ Sequence number field in clear text, |
|
7801
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
62 |
* expressed in big-endian order. |
2 | 63 |
* 16..last Data Encrypted data for Wrap tokens with |
64 |
* confidentiality, or plaintext data followed |
|
65 |
* by the checksum for Wrap tokens without |
|
66 |
* confidentiality, as described in section |
|
67 |
* 4.2.4. |
|
68 |
* MIC Tokens |
|
69 |
* |
|
70 |
* Octet no Name Description |
|
71 |
* ----------------------------------------------------------------- |
|
72 |
* 0..1 TOK_ID Identification field. Tokens emitted by |
|
73 |
* GSS_GetMIC() contain the hex value 04 04 |
|
7801
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
74 |
* expressed in big-endian order in this field. |
2 | 75 |
* 2 Flags Attributes field, as described in section |
76 |
* 4.2.2. |
|
77 |
* 3..7 Filler Contains five octets of hex value FF. |
|
78 |
* 8..15 SND_SEQ Sequence number field in clear text, |
|
7801
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
79 |
* expressed in big-endian order. |
2 | 80 |
* 16..last SGN_CKSUM Checksum of the "to-be-signed" data and |
81 |
* octet 0..15, as described in section 4.2.4. |
|
82 |
* |
|
83 |
* </pre> |
|
84 |
* <p> |
|
7801
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
85 |
* This class is the super class of WrapToken_v2 and MicToken_v2. The token's |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
86 |
* header (bytes[0..15]) and data (byte[16..]) are saved in tokenHeader and |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
87 |
* tokenData fields. Since there is no easy way to find out the exact length |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
88 |
* of a WrapToken_v2 token from any header info, in the case of reading from |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
89 |
* stream, we read all available() bytes into the token. |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
90 |
* <p> |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
91 |
* All read actions are performed in this super class. On the write part, the |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
92 |
* super class only write the tokenHeader, and the content writing is inside |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
93 |
* child classes. |
2 | 94 |
* |
95 |
* @author Seema Malkani |
|
96 |
*/ |
|
97 |
||
98 |
abstract class MessageToken_v2 extends Krb5Token { |
|
99 |
||
7801
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
100 |
protected static final int TOKEN_HEADER_SIZE = 16; |
2 | 101 |
private static final int TOKEN_ID_POS = 0; |
102 |
private static final int TOKEN_FLAG_POS = 2; |
|
103 |
private static final int TOKEN_EC_POS = 4; |
|
104 |
private static final int TOKEN_RRC_POS = 6; |
|
105 |
||
7801
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
106 |
/** |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
107 |
* The size of the random confounder used in a WrapToken. |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
108 |
*/ |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
109 |
protected static final int CONFOUNDER_SIZE = 16; |
2 | 110 |
|
7801
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
111 |
// RFC 4121, key usage values |
2 | 112 |
static final int KG_USAGE_ACCEPTOR_SEAL = 22; |
113 |
static final int KG_USAGE_ACCEPTOR_SIGN = 23; |
|
114 |
static final int KG_USAGE_INITIATOR_SEAL = 24; |
|
115 |
static final int KG_USAGE_INITIATOR_SIGN = 25; |
|
116 |
||
7801
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
117 |
// RFC 4121, Flags Field |
2 | 118 |
private static final int FLAG_SENDER_IS_ACCEPTOR = 1; |
119 |
private static final int FLAG_WRAP_CONFIDENTIAL = 2; |
|
120 |
private static final int FLAG_ACCEPTOR_SUBKEY = 4; |
|
121 |
private static final int FILLER = 0xff; |
|
122 |
||
7801
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
123 |
private MessageTokenHeader tokenHeader = null; |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
124 |
|
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
125 |
// Common field |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
126 |
private int tokenId = 0; |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
127 |
private int seqNumber; |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
128 |
protected byte[] tokenData; // content of token, without the header |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
129 |
protected int tokenDataLen; |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
130 |
|
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
131 |
// Key usage number for crypto action |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
132 |
private int key_usage = 0; |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
133 |
|
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
134 |
// EC and RRC fields, WrapToken only |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
135 |
private int ec = 0; |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
136 |
private int rrc = 0; |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
137 |
|
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
138 |
// Checksum. Always in MicToken, might be in WrapToken |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
139 |
byte[] checksum = null; |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
140 |
|
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
141 |
// Context properties |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
142 |
private boolean confState = true; |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
143 |
private boolean initiator = true; |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
144 |
|
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
145 |
/* cipher instance used by the corresponding GSSContext */ |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
146 |
CipherHelper cipherHelper = null; |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
147 |
|
2 | 148 |
/** |
7801
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
149 |
* Constructs a MessageToken from a byte array. |
2 | 150 |
* |
151 |
* @param tokenId the token id that should be contained in this token as |
|
152 |
* it is read. |
|
153 |
* @param context the Kerberos context associated with this token |
|
154 |
* @param tokenBytes the byte array containing the token |
|
155 |
* @param tokenOffset the offset where the token begins |
|
156 |
* @param tokenLen the length of the token |
|
157 |
* @param prop the MessageProp structure in which the properties of the |
|
158 |
* token should be stored. |
|
159 |
* @throws GSSException if there is a problem parsing the token |
|
160 |
*/ |
|
161 |
MessageToken_v2(int tokenId, Krb5Context context, |
|
162 |
byte[] tokenBytes, int tokenOffset, int tokenLen, |
|
163 |
MessageProp prop) throws GSSException { |
|
164 |
this(tokenId, context, |
|
165 |
new ByteArrayInputStream(tokenBytes, tokenOffset, tokenLen), |
|
166 |
prop); |
|
167 |
} |
|
168 |
||
169 |
/** |
|
170 |
* Constructs a MessageToken from an InputStream. Bytes will be read on |
|
171 |
* demand and the thread might block if there are not enough bytes to |
|
7801
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
172 |
* complete the token. Please note there is no accurate way to find out |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
173 |
* the size of a token, but we try our best to make sure there is |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
174 |
* enough bytes to construct one. |
2 | 175 |
* |
176 |
* @param tokenId the token id that should be contained in this token as |
|
177 |
* it is read. |
|
178 |
* @param context the Kerberos context associated with this token |
|
179 |
* @param is the InputStream from which to read |
|
180 |
* @param prop the MessageProp structure in which the properties of the |
|
181 |
* token should be stored. |
|
182 |
* @throws GSSException if there is a problem reading from the |
|
183 |
* InputStream or parsing the token |
|
184 |
*/ |
|
185 |
MessageToken_v2(int tokenId, Krb5Context context, InputStream is, |
|
186 |
MessageProp prop) throws GSSException { |
|
187 |
init(tokenId, context); |
|
188 |
||
189 |
try { |
|
190 |
if (!confState) { |
|
191 |
prop.setPrivacy(false); |
|
192 |
} |
|
193 |
tokenHeader = new MessageTokenHeader(is, prop, tokenId); |
|
194 |
||
195 |
// set key_usage |
|
196 |
if (tokenId == Krb5Token.WRAP_ID_v2) { |
|
197 |
key_usage = (!initiator ? KG_USAGE_INITIATOR_SEAL |
|
198 |
: KG_USAGE_ACCEPTOR_SEAL); |
|
199 |
} else if (tokenId == Krb5Token.MIC_ID_v2) { |
|
200 |
key_usage = (!initiator ? KG_USAGE_INITIATOR_SIGN |
|
201 |
: KG_USAGE_ACCEPTOR_SIGN); |
|
202 |
} |
|
203 |
||
7801
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
204 |
int minSize = 0; // minimal size for token data |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
205 |
if (tokenId == Krb5Token.WRAP_ID_v2 && prop.getPrivacy()) { |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
206 |
minSize = CONFOUNDER_SIZE + |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
207 |
TOKEN_HEADER_SIZE + cipherHelper.getChecksumLength(); |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
208 |
} else { |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
209 |
minSize = cipherHelper.getChecksumLength(); |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
210 |
} |
2 | 211 |
|
7801
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
212 |
// Read token data |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
213 |
if (tokenId == Krb5Token.MIC_ID_v2) { |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
214 |
// The only case we can precisely predict the token data length |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
215 |
tokenDataLen = minSize; |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
216 |
tokenData = new byte[minSize]; |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
217 |
readFully(is, tokenData); |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
218 |
} else { |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
219 |
tokenDataLen = is.available(); |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
220 |
if (tokenDataLen >= minSize) { // read in one shot |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
221 |
tokenData = new byte[tokenDataLen]; |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
222 |
readFully(is, tokenData); |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
223 |
} else { |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
224 |
byte[] tmp = new byte[minSize]; |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
225 |
readFully(is, tmp); |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
226 |
// Hope while blocked in the read above, more data would |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
227 |
// come and is.available() below contains the whole token. |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
228 |
int more = is.available(); |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
229 |
tokenDataLen = minSize + more; |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
230 |
tokenData = Arrays.copyOf(tmp, tokenDataLen); |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
231 |
readFully(is, tokenData, minSize, more); |
2 | 232 |
} |
233 |
} |
|
234 |
||
7801
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
235 |
if (tokenId == Krb5Token.WRAP_ID_v2) { |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
236 |
rotate(); |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
237 |
} |
2 | 238 |
|
7801
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
239 |
if (tokenId == Krb5Token.MIC_ID_v2 || |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
240 |
(tokenId == Krb5Token.WRAP_ID_v2 && !prop.getPrivacy())) { |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
241 |
// Read checksum |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
242 |
int chkLen = cipherHelper.getChecksumLength(); |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
243 |
checksum = new byte[chkLen]; |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
244 |
System.arraycopy(tokenData, tokenDataLen-chkLen, |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
245 |
checksum, 0, chkLen); |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
246 |
|
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
247 |
// validate EC for Wrap tokens without confidentiality |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
248 |
if (tokenId == Krb5Token.WRAP_ID_v2 && !prop.getPrivacy()) { |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
249 |
if (chkLen != ec) { |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
250 |
throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
251 |
getTokenName(tokenId) + ":" + "EC incorrect!"); |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
252 |
} |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
253 |
} |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
254 |
} |
2 | 255 |
} catch (IOException e) { |
256 |
throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, |
|
257 |
getTokenName(tokenId) + ":" + e.getMessage()); |
|
258 |
} |
|
259 |
} |
|
260 |
||
261 |
/** |
|
262 |
* Used to obtain the token id that was contained in this token. |
|
263 |
* @return the token id in the token |
|
264 |
*/ |
|
265 |
public final int getTokenId() { |
|
266 |
return tokenId; |
|
267 |
} |
|
268 |
||
269 |
/** |
|
270 |
* Used to obtain the key_usage type for this token. |
|
271 |
* @return the key_usage for the token |
|
272 |
*/ |
|
273 |
public final int getKeyUsage() { |
|
274 |
return key_usage; |
|
275 |
} |
|
276 |
||
277 |
/** |
|
278 |
* Used to determine if this token contains any encrypted data. |
|
279 |
* @return true if it contains any encrypted data, false if there is only |
|
280 |
* plaintext data or if there is no data. |
|
281 |
*/ |
|
282 |
public final boolean getConfState() { |
|
283 |
return confState; |
|
284 |
} |
|
285 |
||
286 |
/** |
|
287 |
* Generates the checksum field and the sequence number field. |
|
288 |
* |
|
289 |
* @param prop the MessageProp structure |
|
290 |
* @param data the application data to checksum |
|
291 |
* @param offset the offset where the data starts |
|
292 |
* @param len the length of the data |
|
293 |
* |
|
294 |
* @throws GSSException if an error occurs in the checksum calculation or |
|
295 |
* sequence number calculation. |
|
296 |
*/ |
|
297 |
public void genSignAndSeqNumber(MessageProp prop, |
|
298 |
byte[] data, int offset, int len) |
|
299 |
throws GSSException { |
|
300 |
||
301 |
// debug("Inside MessageToken.genSignAndSeqNumber:\n"); |
|
302 |
||
303 |
int qop = prop.getQOP(); |
|
304 |
if (qop != 0) { |
|
305 |
qop = 0; |
|
306 |
prop.setQOP(qop); |
|
307 |
} |
|
308 |
||
309 |
if (!confState) { |
|
310 |
prop.setPrivacy(false); |
|
311 |
} |
|
312 |
||
7801
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
313 |
// Create a new gss token header as defined in RFC 4121 |
2 | 314 |
tokenHeader = new MessageTokenHeader(tokenId, |
315 |
prop.getPrivacy(), true); |
|
316 |
// debug("\n\t Message Header = " + |
|
317 |
// getHexBytes(tokenHeader.getBytes(), tokenHeader.getBytes().length)); |
|
318 |
||
319 |
// set key_usage |
|
320 |
if (tokenId == Krb5Token.WRAP_ID_v2) { |
|
321 |
key_usage = (initiator ? KG_USAGE_INITIATOR_SEAL |
|
322 |
: KG_USAGE_ACCEPTOR_SEAL); |
|
323 |
} else if (tokenId == Krb5Token.MIC_ID_v2) { |
|
324 |
key_usage = (initiator ? KG_USAGE_INITIATOR_SIGN |
|
325 |
: KG_USAGE_ACCEPTOR_SIGN); |
|
326 |
} |
|
327 |
||
328 |
// Calculate SGN_CKSUM |
|
329 |
if ((tokenId == MIC_ID_v2) || |
|
330 |
(!prop.getPrivacy() && (tokenId == WRAP_ID_v2))) { |
|
331 |
checksum = getChecksum(data, offset, len); |
|
332 |
// debug("\n\tCalc checksum=" + |
|
333 |
// getHexBytes(checksum, checksum.length)); |
|
334 |
} |
|
335 |
||
336 |
// In Wrap tokens without confidentiality, the EC field SHALL be used |
|
337 |
// to encode the number of octets in the trailing checksum |
|
338 |
if (!prop.getPrivacy() && (tokenId == WRAP_ID_v2)) { |
|
339 |
byte[] tok_header = tokenHeader.getBytes(); |
|
340 |
tok_header[4] = (byte) (checksum.length >>> 8); |
|
341 |
tok_header[5] = (byte) (checksum.length); |
|
342 |
} |
|
343 |
} |
|
344 |
||
345 |
/** |
|
346 |
* Verifies the validity of checksum field |
|
347 |
* |
|
348 |
* @param data the application data |
|
349 |
* @param offset the offset where the data begins |
|
350 |
* @param len the length of the application data |
|
351 |
* |
|
352 |
* @throws GSSException if an error occurs in the checksum calculation |
|
353 |
*/ |
|
354 |
public final boolean verifySign(byte[] data, int offset, int len) |
|
355 |
throws GSSException { |
|
356 |
||
357 |
// debug("\t====In verifySign:====\n"); |
|
358 |
// debug("\t\t checksum: [" + getHexBytes(checksum) + "]\n"); |
|
359 |
// debug("\t\t data = [" + getHexBytes(data) + "]\n"); |
|
360 |
||
361 |
byte[] myChecksum = getChecksum(data, offset, len); |
|
362 |
// debug("\t\t mychecksum: [" + getHexBytes(myChecksum) +"]\n"); |
|
363 |
||
364 |
if (MessageDigest.isEqual(checksum, myChecksum)) { |
|
365 |
// debug("\t\t====Checksum PASS:====\n"); |
|
366 |
return true; |
|
367 |
} |
|
368 |
return false; |
|
369 |
} |
|
370 |
||
371 |
/** |
|
372 |
* Rotate bytes as per the "RRC" (Right Rotation Count) received. |
|
373 |
* Our implementation does not do any rotates when sending, only |
|
374 |
* when receiving, we rotate left as per the RRC count, to revert it. |
|
375 |
*/ |
|
7801
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
376 |
private void rotate() { |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
377 |
if (rrc % tokenDataLen != 0) { |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
378 |
rrc = rrc % tokenDataLen; |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
379 |
byte[] newBytes = new byte[tokenDataLen]; |
2 | 380 |
|
7801
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
381 |
System.arraycopy(tokenData, rrc, newBytes, 0, tokenDataLen-rrc); |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
382 |
System.arraycopy(tokenData, 0, newBytes, tokenDataLen-rrc, rrc); |
2 | 383 |
|
7801
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
384 |
tokenData = newBytes; |
2 | 385 |
} |
386 |
} |
|
387 |
||
388 |
public final int getSequenceNumber() { |
|
7801
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
389 |
return seqNumber; |
2 | 390 |
} |
391 |
||
392 |
/** |
|
393 |
* Computes the checksum based on the algorithm stored in the |
|
394 |
* tokenHeader. |
|
395 |
* |
|
396 |
* @param data the application data |
|
397 |
* @param offset the offset where the data begins |
|
398 |
* @param len the length of the application data |
|
399 |
* |
|
400 |
* @throws GSSException if an error occurs in the checksum calculation. |
|
401 |
*/ |
|
402 |
byte[] getChecksum(byte[] data, int offset, int len) |
|
403 |
throws GSSException { |
|
404 |
||
405 |
// debug("Will do getChecksum:\n"); |
|
406 |
||
407 |
/* |
|
408 |
* For checksum calculation the token header bytes i.e., the first 16 |
|
409 |
* bytes following the GSSHeader, are logically prepended to the |
|
410 |
* application data to bind the data to this particular token. |
|
411 |
* |
|
412 |
* Note: There is no such requirement wrt adding padding to the |
|
413 |
* application data for checksumming, although the cryptographic |
|
414 |
* algorithm used might itself apply some padding. |
|
415 |
*/ |
|
416 |
||
417 |
byte[] tokenHeaderBytes = tokenHeader.getBytes(); |
|
418 |
||
419 |
// check confidentiality |
|
420 |
int conf_flag = tokenHeaderBytes[TOKEN_FLAG_POS] & |
|
421 |
FLAG_WRAP_CONFIDENTIAL; |
|
422 |
||
10696 | 423 |
// clear EC and RRC in token header for checksum calculation |
2 | 424 |
if ((conf_flag == 0) && (tokenId == WRAP_ID_v2)) { |
425 |
tokenHeaderBytes[4] = 0; |
|
426 |
tokenHeaderBytes[5] = 0; |
|
10696 | 427 |
tokenHeaderBytes[6] = 0; |
428 |
tokenHeaderBytes[7] = 0; |
|
2 | 429 |
} |
430 |
return cipherHelper.calculateChecksum(tokenHeaderBytes, data, |
|
431 |
offset, len, key_usage); |
|
432 |
} |
|
433 |
||
434 |
||
435 |
/** |
|
436 |
* Constructs an empty MessageToken for the local context to send to |
|
437 |
* the peer. It also increments the local sequence number in the |
|
438 |
* Krb5Context instance it uses after obtaining the object lock for |
|
439 |
* it. |
|
440 |
* |
|
441 |
* @param tokenId the token id that should be contained in this token |
|
442 |
* @param context the Kerberos context associated with this token |
|
443 |
*/ |
|
444 |
MessageToken_v2(int tokenId, Krb5Context context) throws GSSException { |
|
445 |
/* |
|
446 |
debug("\n============================"); |
|
447 |
debug("\nMySessionKey=" + |
|
448 |
getHexBytes(context.getMySessionKey().getBytes())); |
|
449 |
debug("\nPeerSessionKey=" + |
|
450 |
getHexBytes(context.getPeerSessionKey().getBytes())); |
|
451 |
debug("\n============================\n"); |
|
452 |
*/ |
|
453 |
init(tokenId, context); |
|
454 |
this.seqNumber = context.incrementMySequenceNumber(); |
|
455 |
} |
|
456 |
||
457 |
private void init(int tokenId, Krb5Context context) throws GSSException { |
|
458 |
this.tokenId = tokenId; |
|
459 |
// Just for consistency check in Wrap |
|
460 |
this.confState = context.getConfState(); |
|
461 |
||
462 |
this.initiator = context.isInitiator(); |
|
463 |
||
464 |
this.cipherHelper = context.getCipherHelper(null); |
|
465 |
// debug("In MessageToken.Cons"); |
|
466 |
} |
|
467 |
||
468 |
/** |
|
7801
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
469 |
* Encodes a MessageTokenHeader onto an OutputStream. |
2 | 470 |
* |
471 |
* @param os the OutputStream to which this should be written |
|
7801
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
472 |
* @throws IOException is an error occurs while writing to the OutputStream |
2 | 473 |
*/ |
7801
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
474 |
protected void encodeHeader(OutputStream os) throws IOException { |
2 | 475 |
tokenHeader.encode(os); |
476 |
} |
|
477 |
||
478 |
/** |
|
7801
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
479 |
* Encodes a MessageToken_v2 onto an OutputStream. |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
480 |
* |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
481 |
* @param os the OutputStream to which this should be written |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
482 |
* @throws IOException is an error occurs while encoding the token |
2 | 483 |
*/ |
7801
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
484 |
public abstract void encode(OutputStream os) throws IOException; |
2 | 485 |
|
486 |
protected final byte[] getTokenHeader() { |
|
487 |
return (tokenHeader.getBytes()); |
|
488 |
} |
|
489 |
||
490 |
// ******************************************* // |
|
491 |
// I N N E R C L A S S E S F O L L O W |
|
492 |
// ******************************************* // |
|
493 |
||
494 |
/** |
|
495 |
* This inner class represents the initial portion of the message token. |
|
7801
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
496 |
* It constitutes the first 16 bytes of the message token. |
2 | 497 |
*/ |
498 |
class MessageTokenHeader { |
|
499 |
||
500 |
private int tokenId; |
|
501 |
private byte[] bytes = new byte[TOKEN_HEADER_SIZE]; |
|
502 |
||
7801
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
503 |
// Writes a new token header |
2 | 504 |
public MessageTokenHeader(int tokenId, boolean conf, |
505 |
boolean have_acceptor_subkey) throws GSSException { |
|
506 |
||
507 |
this.tokenId = tokenId; |
|
508 |
||
509 |
bytes[0] = (byte) (tokenId >>> 8); |
|
510 |
bytes[1] = (byte) (tokenId); |
|
511 |
||
512 |
// Flags (Note: MIT impl requires subkey) |
|
513 |
int flags = 0; |
|
7801
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
514 |
flags = (initiator ? 0 : FLAG_SENDER_IS_ACCEPTOR) | |
2 | 515 |
((conf && tokenId != MIC_ID_v2) ? |
516 |
FLAG_WRAP_CONFIDENTIAL : 0) | |
|
7801
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
517 |
(have_acceptor_subkey ? FLAG_ACCEPTOR_SUBKEY : 0); |
2 | 518 |
bytes[2] = (byte) flags; |
519 |
||
520 |
// filler |
|
521 |
bytes[3] = (byte) FILLER; |
|
522 |
||
523 |
if (tokenId == WRAP_ID_v2) { |
|
524 |
// EC field |
|
525 |
bytes[4] = (byte) 0; |
|
526 |
bytes[5] = (byte) 0; |
|
527 |
// RRC field |
|
528 |
bytes[6] = (byte) 0; |
|
529 |
bytes[7] = (byte) 0; |
|
530 |
} else if (tokenId == MIC_ID_v2) { |
|
7801
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
531 |
// more filler for MicToken |
2 | 532 |
for (int i = 4; i < 8; i++) { |
533 |
bytes[i] = (byte) FILLER; |
|
534 |
} |
|
535 |
} |
|
536 |
||
7801
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
537 |
// Calculate SND_SEQ, only write 4 bytes from the 12th position |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
538 |
writeBigEndian(seqNumber, bytes, 12); |
2 | 539 |
} |
540 |
||
541 |
/** |
|
7801
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
542 |
* Reads a MessageTokenHeader from an InputStream and sets the |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
543 |
* appropriate confidentiality and quality of protection |
2 | 544 |
* values in a MessageProp structure. |
545 |
* |
|
546 |
* @param is the InputStream to read from |
|
547 |
* @param prop the MessageProp to populate |
|
548 |
* @throws IOException is an error occurs while reading from the |
|
549 |
* InputStream |
|
550 |
*/ |
|
551 |
public MessageTokenHeader(InputStream is, MessageProp prop, int tokId) |
|
552 |
throws IOException, GSSException { |
|
553 |
||
554 |
readFully(is, bytes, 0, TOKEN_HEADER_SIZE); |
|
555 |
tokenId = readInt(bytes, TOKEN_ID_POS); |
|
556 |
||
7801
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
557 |
// validate Token ID |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
558 |
if (tokenId != tokId) { |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
559 |
throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
560 |
getTokenName(tokenId) + ":" + "Defective Token ID!"); |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
561 |
} |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
562 |
|
2 | 563 |
/* |
564 |
* Validate new GSS TokenHeader |
|
565 |
*/ |
|
7801
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
566 |
|
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
567 |
// valid acceptor_flag |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
568 |
// If I am initiator, the received token should have ACCEPTOR on |
2 | 569 |
int acceptor_flag = (initiator ? FLAG_SENDER_IS_ACCEPTOR : 0); |
570 |
int flag = bytes[TOKEN_FLAG_POS] & FLAG_SENDER_IS_ACCEPTOR; |
|
7801
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
571 |
if (flag != acceptor_flag) { |
2 | 572 |
throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, |
7801
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
573 |
getTokenName(tokenId) + ":" + "Acceptor Flag Error!"); |
2 | 574 |
} |
575 |
||
576 |
// check for confidentiality |
|
577 |
int conf_flag = bytes[TOKEN_FLAG_POS] & FLAG_WRAP_CONFIDENTIAL; |
|
578 |
if ((conf_flag == FLAG_WRAP_CONFIDENTIAL) && |
|
579 |
(tokenId == WRAP_ID_v2)) { |
|
580 |
prop.setPrivacy(true); |
|
581 |
} else { |
|
582 |
prop.setPrivacy(false); |
|
583 |
} |
|
584 |
||
7801
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
585 |
if (tokenId == WRAP_ID_v2) { |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
586 |
// validate filler |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
587 |
if ((bytes[3] & 0xff) != FILLER) { |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
588 |
throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
589 |
getTokenName(tokenId) + ":" + "Defective Token Filler!"); |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
590 |
} |
2 | 591 |
|
7801
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
592 |
// read EC field |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
593 |
ec = readBigEndian(bytes, TOKEN_EC_POS, 2); |
2 | 594 |
|
7801
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
595 |
// read RRC field |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
596 |
rrc = readBigEndian(bytes, TOKEN_RRC_POS, 2); |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
597 |
} else if (tokenId == MIC_ID_v2) { |
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
598 |
for (int i = 3; i < 8; i++) { |
2 | 599 |
if ((bytes[i] & 0xff) != FILLER) { |
600 |
throw new GSSException(GSSException.DEFECTIVE_TOKEN, |
|
601 |
-1, getTokenName(tokenId) + ":" + |
|
602 |
"Defective Token Filler!"); |
|
603 |
} |
|
604 |
} |
|
605 |
} |
|
606 |
||
607 |
// set default QOP |
|
608 |
prop.setQOP(0); |
|
609 |
||
610 |
// sequence number |
|
7801
814c8359b104
6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102
weijun
parents:
5506
diff
changeset
|
611 |
seqNumber = readBigEndian(bytes, 0, 8); |
2 | 612 |
} |
613 |
||
614 |
/** |
|
615 |
* Encodes this MessageTokenHeader onto an OutputStream |
|
616 |
* @param os the OutputStream to write to |
|
617 |
* @throws IOException is an error occurs while writing |
|
618 |
*/ |
|
619 |
public final void encode(OutputStream os) throws IOException { |
|
620 |
os.write(bytes); |
|
621 |
} |
|
622 |
||
623 |
||
624 |
/** |
|
625 |
* Returns the token id for the message token. |
|
626 |
* @return the token id |
|
627 |
* @see sun.security.jgss.krb5.Krb5Token#MIC_ID_v2 |
|
628 |
* @see sun.security.jgss.krb5.Krb5Token#WRAP_ID_v2 |
|
629 |
*/ |
|
630 |
public final int getTokenId() { |
|
631 |
return tokenId; |
|
632 |
} |
|
633 |
||
634 |
/** |
|
635 |
* Returns the bytes of this header. |
|
636 |
* @return 8 bytes that form this header |
|
637 |
*/ |
|
638 |
public final byte[] getBytes() { |
|
639 |
return bytes; |
|
640 |
} |
|
641 |
} // end of class MessageTokenHeader |
|
642 |
} |