author | erikj |
Tue, 12 Sep 2017 19:03:39 +0200 | |
changeset 47216 | 71c04702a3d5 |
parent 28553 | jdk/src/java.security.jgss/share/classes/sun/security/jgss/GSSNameImpl.java@6c0b398bd744 |
child 59024 | b046ba510bbc |
permissions | -rw-r--r-- |
2 | 1 |
/* |
5506 | 2 |
* Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved. |
2 | 3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
5506 | 7 |
* published by the Free Software Foundation. Oracle designates this |
2 | 8 |
* particular file as subject to the "Classpath" exception as provided |
5506 | 9 |
* by Oracle in the LICENSE file that accompanied this code. |
2 | 10 |
* |
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
15 |
* accompanied this code). |
|
16 |
* |
|
17 |
* You should have received a copy of the GNU General Public License version |
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 |
* |
|
5506 | 21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
22 |
* or visit www.oracle.com if you need additional information or have any |
|
23 |
* questions. |
|
2 | 24 |
*/ |
25 |
||
26 |
package sun.security.jgss; |
|
27 |
||
28 |
import org.ietf.jgss.*; |
|
29 |
import sun.security.jgss.spi.*; |
|
30 |
import java.util.Set; |
|
31 |
import java.util.HashMap; |
|
32 |
import java.util.HashSet; |
|
33 |
import java.util.Arrays; |
|
34 |
import java.io.IOException; |
|
35 |
import java.io.UnsupportedEncodingException; |
|
36 |
import sun.security.util.ObjectIdentifier; |
|
37 |
import sun.security.util.DerInputStream; |
|
38 |
import sun.security.util.DerOutputStream; |
|
39 |
||
40 |
/** |
|
41 |
* This is the implementation class for GSSName. Conceptually the |
|
42 |
* GSSName is a container with mechanism specific name elements. Each |
|
43 |
* name element is a representation of how that particular mechanism |
|
44 |
* would canonicalize this principal. |
|
45 |
* |
|
46 |
* Generally a GSSName is created by an application when it supplies |
|
47 |
* a sequence of bytes and a nametype that helps each mechanism |
|
48 |
* decide how to interpret those bytes. |
|
49 |
* |
|
50 |
* It is not necessary to create name elements for each available |
|
51 |
* mechanism at the time the application creates the GSSName. This |
|
52 |
* implementation does this lazily, as and when name elements for |
|
53 |
* mechanisms are required to be handed out. (Generally, other GSS |
|
54 |
* classes like GSSContext and GSSCredential request specific |
|
55 |
* elements depending on the mechanisms that they are dealing with.) |
|
56 |
* Assume that getting a mechanism to parse the applciation specified |
|
57 |
* bytes is an expensive call. |
|
58 |
* |
|
59 |
* When a GSSName is canonicalized wrt some mechanism, it is supposed |
|
60 |
* to discard all elements of other mechanisms and retain only the |
|
61 |
* element for this mechanism. In GSS terminology this is called a |
|
62 |
* Mechanism Name or MN. This implementation tries to retain the |
|
63 |
* application provided bytes and name type just in case the MN is |
|
64 |
* asked to produce an element for a mechanism that is different. |
|
65 |
* |
|
66 |
* When a GSSName is to be exported, the name element for the desired |
|
67 |
* mechanism is converted to a byte representation and written |
|
68 |
* out. It might happen that a name element for that mechanism cannot |
|
69 |
* be obtained. This happens when the mechanism is just not supported |
|
70 |
* in this GSS-API or when the mechanism is supported but bytes |
|
71 |
* corresponding to the nametypes that it understands are not |
|
72 |
* available in this GSSName. |
|
73 |
* |
|
74 |
* This class is safe for sharing. Each retrieval of a name element |
|
75 |
* from getElement() might potentially add a new element to the |
|
76 |
* hashmap of elements, but getElement() is synchronized. |
|
77 |
* |
|
78 |
* @author Mayank Upadhyay |
|
79 |
* @since 1.4 |
|
80 |
*/ |
|
81 |
||
82 |
public class GSSNameImpl implements GSSName { |
|
83 |
||
4533 | 84 |
/** |
85 |
* The old Oid used in RFC 2853. Now supported as |
|
86 |
* input parameters in: |
|
87 |
* |
|
88 |
* 1. The four overloaded GSSManager.createName(*) methods |
|
89 |
* 2. GSSManager.getMechsForName(Oid) |
|
90 |
* |
|
91 |
* Note that even if a GSSName is created with this old Oid, |
|
92 |
* its internal name type and getStringNameType() output are |
|
93 |
* always the new value. |
|
94 |
*/ |
|
95 |
final static Oid oldHostbasedServiceName; |
|
96 |
||
97 |
static { |
|
98 |
Oid tmp = null; |
|
99 |
try { |
|
100 |
tmp = new Oid("1.3.6.1.5.6.2"); |
|
101 |
} catch (Exception e) { |
|
102 |
// should never happen |
|
103 |
} |
|
104 |
oldHostbasedServiceName = tmp; |
|
105 |
} |
|
106 |
||
2 | 107 |
private GSSManagerImpl gssManager = null; |
108 |
||
109 |
/* |
|
110 |
* Store whatever the application passed in. We will use this to |
|
111 |
* get individual mechanisms to create name elements as and when |
|
112 |
* needed. |
|
113 |
* Store both the String and the byte[]. Leave I18N to the |
|
114 |
* mechanism by allowing it to extract bytes from the String! |
|
115 |
*/ |
|
116 |
||
117 |
private String appNameStr = null; |
|
118 |
private byte[] appNameBytes = null; |
|
119 |
private Oid appNameType = null; |
|
120 |
||
121 |
/* |
|
122 |
* When we figure out what the printable name would be, we store |
|
123 |
* both the name and its type. |
|
124 |
*/ |
|
125 |
||
126 |
private String printableName = null; |
|
127 |
private Oid printableNameType = null; |
|
128 |
||
129 |
private HashMap<Oid, GSSNameSpi> elements = null; |
|
130 |
private GSSNameSpi mechElement = null; |
|
131 |
||
132 |
static GSSNameImpl wrapElement(GSSManagerImpl gssManager, |
|
133 |
GSSNameSpi mechElement) throws GSSException { |
|
134 |
return (mechElement == null ? |
|
135 |
null : new GSSNameImpl(gssManager, mechElement)); |
|
136 |
} |
|
137 |
||
138 |
GSSNameImpl(GSSManagerImpl gssManager, GSSNameSpi mechElement) { |
|
139 |
this.gssManager = gssManager; |
|
140 |
appNameStr = printableName = mechElement.toString(); |
|
141 |
appNameType = printableNameType = mechElement.getStringNameType(); |
|
142 |
this.mechElement = mechElement; |
|
143 |
elements = new HashMap<Oid, GSSNameSpi>(1); |
|
144 |
elements.put(mechElement.getMechanism(), this.mechElement); |
|
145 |
} |
|
146 |
||
147 |
GSSNameImpl(GSSManagerImpl gssManager, |
|
148 |
Object appName, |
|
149 |
Oid appNameType) |
|
150 |
throws GSSException { |
|
151 |
this(gssManager, appName, appNameType, null); |
|
152 |
} |
|
153 |
||
154 |
GSSNameImpl(GSSManagerImpl gssManager, |
|
155 |
Object appName, |
|
156 |
Oid appNameType, |
|
157 |
Oid mech) |
|
158 |
throws GSSException { |
|
159 |
||
4533 | 160 |
if (oldHostbasedServiceName.equals(appNameType)) { |
161 |
appNameType = GSSName.NT_HOSTBASED_SERVICE; |
|
162 |
} |
|
2 | 163 |
if (appName == null) |
164 |
throw new GSSExceptionImpl(GSSException.BAD_NAME, |
|
165 |
"Cannot import null name"); |
|
166 |
if (mech == null) mech = ProviderList.DEFAULT_MECH_OID; |
|
167 |
if (NT_EXPORT_NAME.equals(appNameType)) { |
|
168 |
importName(gssManager, appName); |
|
169 |
} else { |
|
170 |
init(gssManager, appName, appNameType, mech); |
|
171 |
} |
|
172 |
} |
|
173 |
||
174 |
private void init(GSSManagerImpl gssManager, |
|
175 |
Object appName, Oid appNameType, |
|
176 |
Oid mech) |
|
177 |
throws GSSException { |
|
178 |
||
179 |
this.gssManager = gssManager; |
|
180 |
this.elements = |
|
181 |
new HashMap<Oid, GSSNameSpi>(gssManager.getMechs().length); |
|
182 |
||
183 |
if (appName instanceof String) { |
|
184 |
this.appNameStr = (String) appName; |
|
185 |
/* |
|
186 |
* If appNameType is null, then the nametype for this printable |
|
187 |
* string is determined only by interrogating the |
|
188 |
* mechanism. Thus, defer the setting of printableName and |
|
189 |
* printableNameType till later. |
|
190 |
*/ |
|
191 |
if (appNameType != null) { |
|
192 |
printableName = appNameStr; |
|
193 |
printableNameType = appNameType; |
|
194 |
} |
|
195 |
} else { |
|
196 |
this.appNameBytes = (byte[]) appName; |
|
197 |
} |
|
198 |
||
199 |
this.appNameType = appNameType; |
|
200 |
||
201 |
mechElement = getElement(mech); |
|
202 |
||
203 |
/* |
|
204 |
* printableName will be null if appName was in a byte[] or if |
|
205 |
* appName was in a String but appNameType was null. |
|
206 |
*/ |
|
207 |
if (printableName == null) { |
|
208 |
printableName = mechElement.toString(); |
|
209 |
printableNameType = mechElement.getStringNameType(); |
|
210 |
} |
|
211 |
||
212 |
/* |
|
213 |
* At this point the GSSNameImpl has the following set: |
|
214 |
* appNameStr or appNameBytes |
|
215 |
* appNameType (could be null) |
|
216 |
* printableName |
|
217 |
* printableNameType |
|
218 |
* mechElement (which also exists in the hashmap of elements) |
|
219 |
*/ |
|
220 |
} |
|
221 |
||
222 |
private void importName(GSSManagerImpl gssManager, |
|
223 |
Object appName) |
|
224 |
throws GSSException { |
|
225 |
||
226 |
int pos = 0; |
|
227 |
byte[] bytes = null; |
|
228 |
||
229 |
if (appName instanceof String) { |
|
230 |
try { |
|
231 |
bytes = ((String) appName).getBytes("UTF-8"); |
|
232 |
} catch (UnsupportedEncodingException e) { |
|
233 |
// Won't happen |
|
234 |
} |
|
235 |
} else |
|
236 |
bytes = (byte[]) appName; |
|
237 |
||
238 |
if ((bytes[pos++] != 0x04) || |
|
239 |
(bytes[pos++] != 0x01)) |
|
240 |
throw new GSSExceptionImpl(GSSException.BAD_NAME, |
|
241 |
"Exported name token id is corrupted!"); |
|
242 |
||
243 |
int oidLen = (((0xFF & bytes[pos++]) << 8) | |
|
244 |
(0xFF & bytes[pos++])); |
|
245 |
ObjectIdentifier temp = null; |
|
246 |
try { |
|
247 |
DerInputStream din = new DerInputStream(bytes, pos, |
|
248 |
oidLen); |
|
249 |
temp = new ObjectIdentifier(din); |
|
250 |
} catch (IOException e) { |
|
251 |
throw new GSSExceptionImpl(GSSException.BAD_NAME, |
|
252 |
"Exported name Object identifier is corrupted!"); |
|
253 |
} |
|
254 |
Oid oid = new Oid(temp.toString()); |
|
255 |
pos += oidLen; |
|
256 |
int mechPortionLen = (((0xFF & bytes[pos++]) << 24) | |
|
257 |
((0xFF & bytes[pos++]) << 16) | |
|
258 |
((0xFF & bytes[pos++]) << 8) | |
|
259 |
(0xFF & bytes[pos++])); |
|
28553 | 260 |
|
261 |
if (mechPortionLen < 0 || pos > bytes.length - mechPortionLen) { |
|
22093
741504ef3df7
8028780: JDK KRB5 module throws OutOfMemoryError when CCache is corrupt
weijun
parents:
5506
diff
changeset
|
262 |
throw new GSSExceptionImpl(GSSException.BAD_NAME, |
741504ef3df7
8028780: JDK KRB5 module throws OutOfMemoryError when CCache is corrupt
weijun
parents:
5506
diff
changeset
|
263 |
"Exported name mech name is corrupted!"); |
741504ef3df7
8028780: JDK KRB5 module throws OutOfMemoryError when CCache is corrupt
weijun
parents:
5506
diff
changeset
|
264 |
} |
2 | 265 |
byte[] mechPortion = new byte[mechPortionLen]; |
266 |
System.arraycopy(bytes, pos, mechPortion, 0, mechPortionLen); |
|
267 |
||
268 |
init(gssManager, mechPortion, NT_EXPORT_NAME, oid); |
|
269 |
} |
|
270 |
||
271 |
public GSSName canonicalize(Oid mech) throws GSSException { |
|
272 |
if (mech == null) mech = ProviderList.DEFAULT_MECH_OID; |
|
273 |
||
274 |
return wrapElement(gssManager, getElement(mech)); |
|
275 |
} |
|
276 |
||
277 |
/** |
|
278 |
* This method may return false negatives. But if it says two |
|
279 |
* names are equals, then there is some mechanism that |
|
280 |
* authenticates them as the same principal. |
|
281 |
*/ |
|
282 |
public boolean equals(GSSName other) throws GSSException { |
|
283 |
||
284 |
if (this.isAnonymous() || other.isAnonymous()) |
|
285 |
return false; |
|
286 |
||
287 |
if (other == this) |
|
288 |
return true; |
|
289 |
||
290 |
if (! (other instanceof GSSNameImpl)) |
|
291 |
return equals(gssManager.createName(other.toString(), |
|
292 |
other.getStringNameType())); |
|
293 |
||
294 |
/* |
|
295 |
* XXX Do a comparison of the appNameStr/appNameBytes if |
|
296 |
* available. If that fails, then proceed with this test. |
|
297 |
*/ |
|
298 |
||
299 |
GSSNameImpl that = (GSSNameImpl) other; |
|
300 |
||
301 |
GSSNameSpi myElement = this.mechElement; |
|
302 |
GSSNameSpi element = that.mechElement; |
|
303 |
||
304 |
/* |
|
305 |
* XXX If they are not of the same mechanism type, convert both to |
|
306 |
* Kerberos since it is guaranteed to be present. |
|
307 |
*/ |
|
308 |
if ((myElement == null) && (element != null)) { |
|
309 |
myElement = this.getElement(element.getMechanism()); |
|
310 |
} else if ((myElement != null) && (element == null)) { |
|
311 |
element = that.getElement(myElement.getMechanism()); |
|
312 |
} |
|
313 |
||
314 |
if (myElement != null && element != null) { |
|
315 |
return myElement.equals(element); |
|
316 |
} |
|
317 |
||
318 |
if ((this.appNameType != null) && |
|
319 |
(that.appNameType != null)) { |
|
320 |
if (!this.appNameType.equals(that.appNameType)) { |
|
321 |
return false; |
|
322 |
} |
|
323 |
byte[] myBytes = null; |
|
324 |
byte[] bytes = null; |
|
325 |
try { |
|
326 |
myBytes = |
|
327 |
(this.appNameStr != null ? |
|
328 |
this.appNameStr.getBytes("UTF-8") : |
|
329 |
this.appNameBytes); |
|
330 |
bytes = |
|
331 |
(that.appNameStr != null ? |
|
332 |
that.appNameStr.getBytes("UTF-8") : |
|
333 |
that.appNameBytes); |
|
334 |
} catch (UnsupportedEncodingException e) { |
|
335 |
// Won't happen |
|
336 |
} |
|
337 |
||
338 |
return Arrays.equals(myBytes, bytes); |
|
339 |
} |
|
340 |
||
341 |
return false; |
|
342 |
||
343 |
} |
|
344 |
||
345 |
/** |
|
346 |
* Returns a hashcode value for this GSSName. |
|
347 |
* |
|
348 |
* @return a hashCode value |
|
349 |
*/ |
|
350 |
public int hashCode() { |
|
351 |
/* |
|
352 |
* XXX |
|
353 |
* In order to get this to work reliably and properly(!), obtain a |
|
354 |
* Kerberos name element for the name and then call hashCode on its |
|
355 |
* string representation. But this cannot be done if the nametype |
|
356 |
* is not one of those supported by the Kerberos provider and hence |
|
357 |
* this name cannot be imported by Kerberos. In that case return a |
|
358 |
* constant value! |
|
359 |
*/ |
|
360 |
||
361 |
return 1; |
|
362 |
} |
|
363 |
||
364 |
public boolean equals(Object another) { |
|
365 |
||
366 |
try { |
|
367 |
// XXX This can lead to an infinite loop. Extract info |
|
368 |
// and create a GSSNameImpl with it. |
|
369 |
||
370 |
if (another instanceof GSSName) |
|
371 |
return equals((GSSName) another); |
|
372 |
} catch (GSSException e) { |
|
373 |
// Squelch it and return false |
|
374 |
} |
|
375 |
||
376 |
return false; |
|
377 |
} |
|
378 |
||
379 |
/** |
|
380 |
* Returns a flat name representation for this object. The name |
|
381 |
* format is defined in RFC 2743: |
|
382 |
*<pre> |
|
383 |
* Length Name Description |
|
384 |
* 2 TOK_ID Token Identifier |
|
385 |
* For exported name objects, this |
|
386 |
* must be hex 04 01. |
|
387 |
* 2 MECH_OID_LEN Length of the Mechanism OID |
|
388 |
* MECH_OID_LEN MECH_OID Mechanism OID, in DER |
|
389 |
* 4 NAME_LEN Length of name |
|
390 |
* NAME_LEN NAME Exported name; format defined in |
|
391 |
* applicable mechanism draft. |
|
392 |
*</pre> |
|
393 |
* |
|
394 |
* Note that it is not required to canonicalize a name before |
|
395 |
* calling export(). i.e., the name need not be an MN. If it is |
|
396 |
* not an MN, an implementation defined algorithm can be used for |
|
397 |
* choosing the mechanism which should export this name. |
|
398 |
* |
|
399 |
* @return the flat name representation for this object |
|
400 |
* @exception GSSException with major codes NAME_NOT_MN, BAD_NAME, |
|
401 |
* BAD_NAME, FAILURE. |
|
402 |
*/ |
|
403 |
public byte[] export() throws GSSException { |
|
404 |
||
405 |
if (mechElement == null) { |
|
406 |
/* Use default mech */ |
|
407 |
mechElement = getElement(ProviderList.DEFAULT_MECH_OID); |
|
408 |
} |
|
409 |
||
410 |
byte[] mechPortion = mechElement.export(); |
|
411 |
byte[] oidBytes = null; |
|
412 |
ObjectIdentifier oid = null; |
|
413 |
||
414 |
try { |
|
415 |
oid = new ObjectIdentifier |
|
416 |
(mechElement.getMechanism().toString()); |
|
417 |
} catch (IOException e) { |
|
418 |
throw new GSSExceptionImpl(GSSException.FAILURE, |
|
419 |
"Invalid OID String "); |
|
420 |
} |
|
421 |
DerOutputStream dout = new DerOutputStream(); |
|
422 |
try { |
|
423 |
dout.putOID(oid); |
|
424 |
} catch (IOException e) { |
|
425 |
throw new GSSExceptionImpl(GSSException.FAILURE, |
|
426 |
"Could not ASN.1 Encode " |
|
427 |
+ oid.toString()); |
|
428 |
} |
|
429 |
oidBytes = dout.toByteArray(); |
|
430 |
||
431 |
byte[] retVal = new byte[2 |
|
432 |
+ 2 + oidBytes.length |
|
433 |
+ 4 + mechPortion.length]; |
|
434 |
int pos = 0; |
|
435 |
retVal[pos++] = 0x04; |
|
436 |
retVal[pos++] = 0x01; |
|
437 |
retVal[pos++] = (byte) (oidBytes.length>>>8); |
|
438 |
retVal[pos++] = (byte) oidBytes.length; |
|
439 |
System.arraycopy(oidBytes, 0, retVal, pos, oidBytes.length); |
|
440 |
pos += oidBytes.length; |
|
441 |
retVal[pos++] = (byte) (mechPortion.length>>>24); |
|
442 |
retVal[pos++] = (byte) (mechPortion.length>>>16); |
|
443 |
retVal[pos++] = (byte) (mechPortion.length>>>8); |
|
444 |
retVal[pos++] = (byte) mechPortion.length; |
|
445 |
System.arraycopy(mechPortion, 0, retVal, pos, mechPortion.length); |
|
446 |
return retVal; |
|
447 |
} |
|
448 |
||
449 |
public String toString() { |
|
450 |
return printableName; |
|
451 |
||
452 |
} |
|
453 |
||
454 |
public Oid getStringNameType() throws GSSException { |
|
455 |
return printableNameType; |
|
456 |
} |
|
457 |
||
458 |
public boolean isAnonymous() { |
|
459 |
if (printableNameType == null) { |
|
460 |
return false; |
|
461 |
} else { |
|
462 |
return GSSName.NT_ANONYMOUS.equals(printableNameType); |
|
463 |
} |
|
464 |
} |
|
465 |
||
466 |
public boolean isMN() { |
|
467 |
return true; // Since always canonicalized for some mech |
|
468 |
} |
|
469 |
||
470 |
public synchronized GSSNameSpi getElement(Oid mechOid) |
|
471 |
throws GSSException { |
|
472 |
||
473 |
GSSNameSpi retVal = elements.get(mechOid); |
|
474 |
||
475 |
if (retVal == null) { |
|
476 |
if (appNameStr != null) { |
|
477 |
retVal = gssManager.getNameElement |
|
478 |
(appNameStr, appNameType, mechOid); |
|
479 |
} else { |
|
480 |
retVal = gssManager.getNameElement |
|
481 |
(appNameBytes, appNameType, mechOid); |
|
482 |
} |
|
483 |
elements.put(mechOid, retVal); |
|
484 |
} |
|
485 |
return retVal; |
|
486 |
} |
|
487 |
||
488 |
Set<GSSNameSpi> getElements() { |
|
489 |
return new HashSet<GSSNameSpi>(elements.values()); |
|
490 |
} |
|
491 |
||
492 |
private static String getNameTypeStr(Oid nameTypeOid) { |
|
493 |
||
494 |
if (nameTypeOid == null) |
|
495 |
return "(NT is null)"; |
|
496 |
||
497 |
if (nameTypeOid.equals(NT_USER_NAME)) |
|
498 |
return "NT_USER_NAME"; |
|
499 |
if (nameTypeOid.equals(NT_HOSTBASED_SERVICE)) |
|
500 |
return "NT_HOSTBASED_SERVICE"; |
|
501 |
if (nameTypeOid.equals(NT_EXPORT_NAME)) |
|
502 |
return "NT_EXPORT_NAME"; |
|
503 |
if (nameTypeOid.equals(GSSUtil.NT_GSS_KRB5_PRINCIPAL)) |
|
504 |
return "NT_GSS_KRB5_PRINCIPAL"; |
|
505 |
else |
|
506 |
return "Unknown"; |
|
507 |
} |
|
508 |
} |