author | chegar |
Thu, 17 Oct 2019 20:54:25 +0100 | |
branch | datagramsocketimpl-branch |
changeset 58679 | 9c3209ff7550 |
parent 58678 | 9cf78a70fa4f |
parent 58638 | 7be56b2ac50d |
permissions | -rw-r--r-- |
2 | 1 |
/* |
57487
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
47216
diff
changeset
|
2 |
* Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved. |
2 | 3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
5506 | 7 |
* published by the Free Software Foundation. Oracle designates this |
2 | 8 |
* particular file as subject to the "Classpath" exception as provided |
5506 | 9 |
* by Oracle in the LICENSE file that accompanied this code. |
2 | 10 |
* |
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
15 |
* accompanied this code). |
|
16 |
* |
|
17 |
* You should have received a copy of the GNU General Public License version |
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 |
* |
|
5506 | 21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
22 |
* or visit www.oracle.com if you need additional information or have any |
|
23 |
* questions. |
|
2 | 24 |
*/ |
25 |
||
26 |
package sun.security.jgss.krb5; |
|
27 |
||
28 |
import org.ietf.jgss.*; |
|
34687
d302ed125dc9
8144995: Move sun.misc.HexDumpEncoder to sun.security.util
chegar
parents:
31538
diff
changeset
|
29 |
import sun.security.util.HexDumpEncoder; |
2 | 30 |
import sun.security.jgss.GSSUtil; |
2942
37d9baeb7518
6578647: Undefined requesting URL in java.net.Authenticator.getPasswordAuthentication()
weijun
parents:
2
diff
changeset
|
31 |
import sun.security.jgss.GSSCaller; |
2 | 32 |
import sun.security.jgss.spi.*; |
33 |
import sun.security.jgss.TokenTracker; |
|
34 |
import sun.security.krb5.*; |
|
35 |
import java.io.InputStream; |
|
36 |
import java.io.OutputStream; |
|
37 |
import java.io.IOException; |
|
38 |
import java.security.Provider; |
|
39 |
import java.security.AccessController; |
|
40 |
import java.security.AccessControlContext; |
|
3482
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2942
diff
changeset
|
41 |
import java.security.Key; |
25661
929c829a8400
8043071: Expose session key and KRB_CRED through extended GSS-API
weijun
parents:
24969
diff
changeset
|
42 |
import java.security.PrivilegedActionException; |
2 | 43 |
import java.security.PrivilegedExceptionAction; |
44 |
import javax.security.auth.Subject; |
|
25661
929c829a8400
8043071: Expose session key and KRB_CRED through extended GSS-API
weijun
parents:
24969
diff
changeset
|
45 |
import javax.security.auth.kerberos.ServicePermission; |
929c829a8400
8043071: Expose session key and KRB_CRED through extended GSS-API
weijun
parents:
24969
diff
changeset
|
46 |
import javax.security.auth.kerberos.KerberosCredMessage; |
929c829a8400
8043071: Expose session key and KRB_CRED through extended GSS-API
weijun
parents:
24969
diff
changeset
|
47 |
import javax.security.auth.kerberos.KerberosPrincipal; |
929c829a8400
8043071: Expose session key and KRB_CRED through extended GSS-API
weijun
parents:
24969
diff
changeset
|
48 |
import javax.security.auth.kerberos.KerberosTicket; |
14413
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
49 |
import sun.security.krb5.internal.Ticket; |
26629
3b9ed8175488
8042900: Allow com.sun.security.jgss to be in different module than org.ietf.jgss
weijun
parents:
25859
diff
changeset
|
50 |
import sun.security.krb5.internal.AuthorizationData; |
2 | 51 |
|
52 |
/** |
|
53 |
* Implements the mechanism specific context class for the Kerberos v5 |
|
54 |
* GSS-API mechanism. |
|
55 |
* |
|
56 |
* @author Mayank Upadhyay |
|
57 |
* @author Ram Marti |
|
58 |
* @since 1.4 |
|
59 |
*/ |
|
60 |
class Krb5Context implements GSSContextSpi { |
|
61 |
||
62 |
/* |
|
63 |
* The different states that this context can be in. |
|
64 |
*/ |
|
65 |
||
66 |
private static final int STATE_NEW = 1; |
|
67 |
private static final int STATE_IN_PROCESS = 2; |
|
68 |
private static final int STATE_DONE = 3; |
|
69 |
private static final int STATE_DELETED = 4; |
|
70 |
||
71 |
private int state = STATE_NEW; |
|
72 |
||
10697
ecee258b7d87
7077646: gssapi wrap for CFX per-message tokens always set FLAG_ACCEPTOR_SUBKEY
weijun
parents:
10336
diff
changeset
|
73 |
public static final int SESSION_KEY = 0; |
ecee258b7d87
7077646: gssapi wrap for CFX per-message tokens always set FLAG_ACCEPTOR_SUBKEY
weijun
parents:
10336
diff
changeset
|
74 |
public static final int INITIATOR_SUBKEY = 1; |
ecee258b7d87
7077646: gssapi wrap for CFX per-message tokens always set FLAG_ACCEPTOR_SUBKEY
weijun
parents:
10336
diff
changeset
|
75 |
public static final int ACCEPTOR_SUBKEY = 2; |
ecee258b7d87
7077646: gssapi wrap for CFX per-message tokens always set FLAG_ACCEPTOR_SUBKEY
weijun
parents:
10336
diff
changeset
|
76 |
|
2 | 77 |
/* |
78 |
* Optional features that the application can set and their default |
|
79 |
* values. |
|
80 |
*/ |
|
81 |
||
14413
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
82 |
private boolean credDelegState = false; // now only useful at client |
2 | 83 |
private boolean mutualAuthState = true; |
84 |
private boolean replayDetState = true; |
|
85 |
private boolean sequenceDetState = true; |
|
86 |
private boolean confState = true; |
|
87 |
private boolean integState = true; |
|
4336 | 88 |
private boolean delegPolicyState = false; |
2 | 89 |
|
14413
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
90 |
private boolean isConstrainedDelegationTried = false; |
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
91 |
|
2 | 92 |
private int mySeqNumber; |
93 |
private int peerSeqNumber; |
|
10697
ecee258b7d87
7077646: gssapi wrap for CFX per-message tokens always set FLAG_ACCEPTOR_SUBKEY
weijun
parents:
10336
diff
changeset
|
94 |
private int keySrc; |
2 | 95 |
private TokenTracker peerTokenTracker; |
96 |
||
97 |
private CipherHelper cipherHelper = null; |
|
98 |
||
99 |
/* |
|
100 |
* Separate locks for the sequence numbers allow the application to |
|
101 |
* receive tokens at the same time that it is sending tokens. Note |
|
102 |
* that the application must synchronize the generation and |
|
103 |
* transmission of tokens such that tokens are processed in the same |
|
104 |
* order that they are generated. This is important when sequence |
|
105 |
* checking of per-message tokens is enabled. |
|
106 |
*/ |
|
107 |
||
108 |
private Object mySeqNumberLock = new Object(); |
|
109 |
private Object peerSeqNumberLock = new Object(); |
|
110 |
||
111 |
private EncryptionKey key; |
|
112 |
private Krb5NameElement myName; |
|
113 |
private Krb5NameElement peerName; |
|
114 |
private int lifetime; |
|
115 |
private boolean initiator; |
|
116 |
private ChannelBinding channelBinding; |
|
117 |
||
118 |
private Krb5CredElement myCred; |
|
119 |
private Krb5CredElement delegatedCred; // Set only on acceptor side |
|
120 |
||
121 |
// XXX See if the required info from these can be extracted and |
|
122 |
// stored elsewhere |
|
25661
929c829a8400
8043071: Expose session key and KRB_CRED through extended GSS-API
weijun
parents:
24969
diff
changeset
|
123 |
private Credentials tgt; |
2 | 124 |
private Credentials serviceCreds; |
125 |
private KrbApReq apReq; |
|
14413
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
126 |
Ticket serviceTicket; |
2942
37d9baeb7518
6578647: Undefined requesting URL in java.net.Authenticator.getPasswordAuthentication()
weijun
parents:
2
diff
changeset
|
127 |
final private GSSCaller caller; |
2 | 128 |
private static final boolean DEBUG = Krb5Util.DEBUG; |
129 |
||
130 |
/** |
|
131 |
* Constructor for Krb5Context to be called on the context initiator's |
|
132 |
* side. |
|
133 |
*/ |
|
2942
37d9baeb7518
6578647: Undefined requesting URL in java.net.Authenticator.getPasswordAuthentication()
weijun
parents:
2
diff
changeset
|
134 |
Krb5Context(GSSCaller caller, Krb5NameElement peerName, Krb5CredElement myCred, |
2 | 135 |
int lifetime) |
136 |
throws GSSException { |
|
137 |
||
138 |
if (peerName == null) |
|
139 |
throw new IllegalArgumentException("Cannot have null peer name"); |
|
140 |
||
141 |
this.caller = caller; |
|
142 |
this.peerName = peerName; |
|
143 |
this.myCred = myCred; |
|
144 |
this.lifetime = lifetime; |
|
145 |
this.initiator = true; |
|
146 |
} |
|
147 |
||
148 |
/** |
|
149 |
* Constructor for Krb5Context to be called on the context acceptor's |
|
150 |
* side. |
|
151 |
*/ |
|
2942
37d9baeb7518
6578647: Undefined requesting URL in java.net.Authenticator.getPasswordAuthentication()
weijun
parents:
2
diff
changeset
|
152 |
Krb5Context(GSSCaller caller, Krb5CredElement myCred) |
2 | 153 |
throws GSSException { |
154 |
this.caller = caller; |
|
155 |
this.myCred = myCred; |
|
156 |
this.initiator = false; |
|
157 |
} |
|
158 |
||
159 |
/** |
|
160 |
* Constructor for Krb5Context to import a previously exported context. |
|
161 |
*/ |
|
31538
0981099a3e54
8130022: Use Java-style array declarations consistently
igerasim
parents:
27039
diff
changeset
|
162 |
public Krb5Context(GSSCaller caller, byte[] interProcessToken) |
2 | 163 |
throws GSSException { |
164 |
throw new GSSException(GSSException.UNAVAILABLE, |
|
165 |
-1, "GSS Import Context not available"); |
|
166 |
} |
|
167 |
||
168 |
/** |
|
169 |
* Method to determine if the context can be exported and then |
|
170 |
* re-imported. |
|
171 |
*/ |
|
172 |
public final boolean isTransferable() throws GSSException { |
|
173 |
return false; |
|
174 |
} |
|
175 |
||
176 |
/** |
|
177 |
* The lifetime remaining for this context. |
|
178 |
*/ |
|
179 |
public final int getLifetime() { |
|
180 |
// XXX Return service ticket lifetime |
|
181 |
return GSSContext.INDEFINITE_LIFETIME; |
|
182 |
} |
|
183 |
||
184 |
/* |
|
185 |
* Methods that may be invoked by the GSS framework in response |
|
186 |
* to an application request for setting/getting these |
|
187 |
* properties. |
|
188 |
* |
|
189 |
* These can only be called on the initiator side. |
|
190 |
* |
|
191 |
* Notice that an application can only request these |
|
192 |
* properties. The mechanism may or may not support them. The |
|
193 |
* application must make getXXX calls after context establishment |
|
194 |
* to see if the mechanism implementations on both sides support |
|
195 |
* these features. requestAnonymity is an exception where the |
|
196 |
* application will want to call getAnonymityState prior to sending any |
|
197 |
* GSS token during context establishment. |
|
198 |
* |
|
199 |
* Also note that the requests can only be placed before context |
|
200 |
* establishment starts. i.e. when state is STATE_NEW |
|
201 |
*/ |
|
202 |
||
203 |
/** |
|
204 |
* Requests the desired lifetime. Can only be used on the context |
|
205 |
* initiator's side. |
|
206 |
*/ |
|
207 |
public void requestLifetime(int lifetime) throws GSSException { |
|
208 |
if (state == STATE_NEW && isInitiator()) |
|
209 |
this.lifetime = lifetime; |
|
210 |
} |
|
211 |
||
212 |
/** |
|
213 |
* Requests that confidentiality be available. |
|
214 |
*/ |
|
215 |
public final void requestConf(boolean value) throws GSSException { |
|
216 |
if (state == STATE_NEW && isInitiator()) |
|
217 |
confState = value; |
|
218 |
} |
|
219 |
||
220 |
/** |
|
221 |
* Is confidentiality available? |
|
222 |
*/ |
|
223 |
public final boolean getConfState() { |
|
224 |
return confState; |
|
225 |
} |
|
226 |
||
227 |
/** |
|
228 |
* Requests that integrity be available. |
|
229 |
*/ |
|
230 |
public final void requestInteg(boolean value) throws GSSException { |
|
231 |
if (state == STATE_NEW && isInitiator()) |
|
232 |
integState = value; |
|
233 |
} |
|
234 |
||
235 |
/** |
|
236 |
* Is integrity available? |
|
237 |
*/ |
|
238 |
public final boolean getIntegState() { |
|
239 |
return integState; |
|
240 |
} |
|
241 |
||
242 |
/** |
|
243 |
* Requests that credential delegation be done during context |
|
244 |
* establishment. |
|
245 |
*/ |
|
246 |
public final void requestCredDeleg(boolean value) throws GSSException { |
|
27039
9962ad5bb592
8044215: Unable to initiate SpNego using a S4U2Proxy GSSCredential (Krb5ProxyCredential)
weijun
parents:
26629
diff
changeset
|
247 |
if (state == STATE_NEW && isInitiator()) { |
9962ad5bb592
8044215: Unable to initiate SpNego using a S4U2Proxy GSSCredential (Krb5ProxyCredential)
weijun
parents:
26629
diff
changeset
|
248 |
if (myCred == null || !(myCred instanceof Krb5ProxyCredential)) { |
9962ad5bb592
8044215: Unable to initiate SpNego using a S4U2Proxy GSSCredential (Krb5ProxyCredential)
weijun
parents:
26629
diff
changeset
|
249 |
credDelegState = value; |
9962ad5bb592
8044215: Unable to initiate SpNego using a S4U2Proxy GSSCredential (Krb5ProxyCredential)
weijun
parents:
26629
diff
changeset
|
250 |
} |
9962ad5bb592
8044215: Unable to initiate SpNego using a S4U2Proxy GSSCredential (Krb5ProxyCredential)
weijun
parents:
26629
diff
changeset
|
251 |
} |
2 | 252 |
} |
253 |
||
254 |
/** |
|
255 |
* Is credential delegation enabled? |
|
256 |
*/ |
|
257 |
public final boolean getCredDelegState() { |
|
14413
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
258 |
if (isInitiator()) { |
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
259 |
return credDelegState; |
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
260 |
} else { |
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
261 |
// Server side deleg state is not flagged by credDelegState. |
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
262 |
// It can use constrained delegation. |
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
263 |
tryConstrainedDelegation(); |
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
264 |
return delegatedCred != null; |
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
265 |
} |
2 | 266 |
} |
267 |
||
268 |
/** |
|
269 |
* Requests that mutual authentication be done during context |
|
270 |
* establishment. Since this is fromm the client's perspective, it |
|
271 |
* essentially requests that the server be authenticated. |
|
272 |
*/ |
|
273 |
public final void requestMutualAuth(boolean value) throws GSSException { |
|
274 |
if (state == STATE_NEW && isInitiator()) { |
|
275 |
mutualAuthState = value; |
|
276 |
} |
|
277 |
} |
|
278 |
||
279 |
/** |
|
280 |
* Is mutual authentication enabled? Since this is from the client's |
|
281 |
* perspective, it essentially meas that the server is being |
|
282 |
* authenticated. |
|
283 |
*/ |
|
284 |
public final boolean getMutualAuthState() { |
|
285 |
return mutualAuthState; |
|
286 |
} |
|
287 |
||
288 |
/** |
|
289 |
* Requests that replay detection be done on the GSS wrap and MIC |
|
290 |
* tokens. |
|
291 |
*/ |
|
292 |
public final void requestReplayDet(boolean value) throws GSSException { |
|
293 |
if (state == STATE_NEW && isInitiator()) |
|
294 |
replayDetState = value; |
|
295 |
} |
|
296 |
||
297 |
/** |
|
298 |
* Is replay detection enabled on the GSS wrap and MIC tokens? |
|
299 |
* We enable replay detection if sequence checking is enabled. |
|
300 |
*/ |
|
301 |
public final boolean getReplayDetState() { |
|
302 |
return replayDetState || sequenceDetState; |
|
303 |
} |
|
304 |
||
305 |
/** |
|
306 |
* Requests that sequence checking be done on the GSS wrap and MIC |
|
307 |
* tokens. |
|
308 |
*/ |
|
309 |
public final void requestSequenceDet(boolean value) throws GSSException { |
|
310 |
if (state == STATE_NEW && isInitiator()) |
|
311 |
sequenceDetState = value; |
|
312 |
} |
|
313 |
||
314 |
/** |
|
315 |
* Is sequence checking enabled on the GSS Wrap and MIC tokens? |
|
316 |
* We enable sequence checking if replay detection is enabled. |
|
317 |
*/ |
|
318 |
public final boolean getSequenceDetState() { |
|
319 |
return sequenceDetState || replayDetState; |
|
320 |
} |
|
321 |
||
4336 | 322 |
/** |
323 |
* Requests that the deleg policy be respected. |
|
324 |
*/ |
|
325 |
public final void requestDelegPolicy(boolean value) { |
|
326 |
if (state == STATE_NEW && isInitiator()) |
|
327 |
delegPolicyState = value; |
|
328 |
} |
|
329 |
||
330 |
/** |
|
331 |
* Is deleg policy respected? |
|
332 |
*/ |
|
333 |
public final boolean getDelegPolicyState() { |
|
334 |
return delegPolicyState; |
|
335 |
} |
|
336 |
||
2 | 337 |
/* |
338 |
* Anonymity is a little different in that after an application |
|
339 |
* requests anonymity it will want to know whether the mechanism |
|
340 |
* can support it or not, prior to sending any tokens across for |
|
341 |
* context establishment. Since this is from the initiator's |
|
342 |
* perspective, it essentially requests that the initiator be |
|
343 |
* anonymous. |
|
344 |
*/ |
|
345 |
||
346 |
public final void requestAnonymity(boolean value) throws GSSException { |
|
347 |
// Ignore silently. Application will check back with |
|
348 |
// getAnonymityState. |
|
349 |
} |
|
350 |
||
351 |
// RFC 2853 actually calls for this to be called after context |
|
352 |
// establishment to get the right answer, but that is |
|
353 |
// incorrect. The application may not want to send over any |
|
354 |
// tokens if anonymity is not available. |
|
355 |
public final boolean getAnonymityState() { |
|
356 |
return false; |
|
357 |
} |
|
358 |
||
359 |
/* |
|
360 |
* Package private methods invoked by other Krb5 plugin classes. |
|
361 |
*/ |
|
362 |
||
363 |
/** |
|
364 |
* Get the context specific DESCipher instance, invoked in |
|
365 |
* MessageToken.init() |
|
366 |
*/ |
|
367 |
final CipherHelper getCipherHelper(EncryptionKey ckey) throws GSSException { |
|
368 |
EncryptionKey cipherKey = null; |
|
369 |
if (cipherHelper == null) { |
|
370 |
cipherKey = (getKey() == null) ? ckey: getKey(); |
|
371 |
cipherHelper = new CipherHelper(cipherKey); |
|
372 |
} |
|
373 |
return cipherHelper; |
|
374 |
} |
|
375 |
||
376 |
final int incrementMySequenceNumber() { |
|
377 |
int retVal; |
|
378 |
synchronized (mySeqNumberLock) { |
|
379 |
retVal = mySeqNumber; |
|
380 |
mySeqNumber = retVal + 1; |
|
381 |
} |
|
382 |
return retVal; |
|
383 |
} |
|
384 |
||
385 |
final void resetMySequenceNumber(int seqNumber) { |
|
386 |
if (DEBUG) { |
|
387 |
System.out.println("Krb5Context setting mySeqNumber to: " |
|
388 |
+ seqNumber); |
|
389 |
} |
|
390 |
synchronized (mySeqNumberLock) { |
|
391 |
mySeqNumber = seqNumber; |
|
392 |
} |
|
393 |
} |
|
394 |
||
395 |
final void resetPeerSequenceNumber(int seqNumber) { |
|
396 |
if (DEBUG) { |
|
397 |
System.out.println("Krb5Context setting peerSeqNumber to: " |
|
398 |
+ seqNumber); |
|
399 |
} |
|
400 |
synchronized (peerSeqNumberLock) { |
|
401 |
peerSeqNumber = seqNumber; |
|
402 |
peerTokenTracker = new TokenTracker(peerSeqNumber); |
|
403 |
} |
|
404 |
} |
|
405 |
||
10697
ecee258b7d87
7077646: gssapi wrap for CFX per-message tokens always set FLAG_ACCEPTOR_SUBKEY
weijun
parents:
10336
diff
changeset
|
406 |
final void setKey(int keySrc, EncryptionKey key) throws GSSException { |
2 | 407 |
this.key = key; |
10697
ecee258b7d87
7077646: gssapi wrap for CFX per-message tokens always set FLAG_ACCEPTOR_SUBKEY
weijun
parents:
10336
diff
changeset
|
408 |
this.keySrc = keySrc; |
2 | 409 |
// %%% to do: should clear old cipherHelper first |
410 |
cipherHelper = new CipherHelper(key); // Need to use new key |
|
411 |
} |
|
412 |
||
10697
ecee258b7d87
7077646: gssapi wrap for CFX per-message tokens always set FLAG_ACCEPTOR_SUBKEY
weijun
parents:
10336
diff
changeset
|
413 |
public final int getKeySrc() { |
ecee258b7d87
7077646: gssapi wrap for CFX per-message tokens always set FLAG_ACCEPTOR_SUBKEY
weijun
parents:
10336
diff
changeset
|
414 |
return keySrc; |
ecee258b7d87
7077646: gssapi wrap for CFX per-message tokens always set FLAG_ACCEPTOR_SUBKEY
weijun
parents:
10336
diff
changeset
|
415 |
} |
ecee258b7d87
7077646: gssapi wrap for CFX per-message tokens always set FLAG_ACCEPTOR_SUBKEY
weijun
parents:
10336
diff
changeset
|
416 |
|
2 | 417 |
private final EncryptionKey getKey() { |
418 |
return key; |
|
419 |
} |
|
420 |
||
421 |
/** |
|
422 |
* Called on the acceptor side to store the delegated credentials |
|
423 |
* received in the AcceptSecContextToken. |
|
424 |
*/ |
|
425 |
final void setDelegCred(Krb5CredElement delegatedCred) { |
|
426 |
this.delegatedCred = delegatedCred; |
|
427 |
} |
|
428 |
||
429 |
/* |
|
430 |
* While the application can only request the following features, |
|
431 |
* other classes in the package can call the actual set methods |
|
432 |
* for them. They are called as context establishment tokens are |
|
433 |
* received on an acceptor side and the context feature list that |
|
434 |
* the initiator wants becomes known. |
|
435 |
*/ |
|
436 |
||
437 |
/* |
|
438 |
* This method is also called by InitialToken.OverloadedChecksum if the |
|
439 |
* TGT is not forwardable and the user requested delegation. |
|
440 |
*/ |
|
441 |
final void setCredDelegState(boolean state) { |
|
442 |
credDelegState = state; |
|
443 |
} |
|
444 |
||
445 |
final void setMutualAuthState(boolean state) { |
|
446 |
mutualAuthState = state; |
|
447 |
} |
|
448 |
||
449 |
final void setReplayDetState(boolean state) { |
|
450 |
replayDetState = state; |
|
451 |
} |
|
452 |
||
453 |
final void setSequenceDetState(boolean state) { |
|
454 |
sequenceDetState = state; |
|
455 |
} |
|
456 |
||
457 |
final void setConfState(boolean state) { |
|
458 |
confState = state; |
|
459 |
} |
|
460 |
||
461 |
final void setIntegState(boolean state) { |
|
462 |
integState = state; |
|
463 |
} |
|
464 |
||
4336 | 465 |
final void setDelegPolicyState(boolean state) { |
466 |
delegPolicyState = state; |
|
467 |
} |
|
468 |
||
2 | 469 |
/** |
470 |
* Sets the channel bindings to be used during context |
|
471 |
* establishment. |
|
472 |
*/ |
|
473 |
public final void setChannelBinding(ChannelBinding channelBinding) |
|
474 |
throws GSSException { |
|
475 |
this.channelBinding = channelBinding; |
|
476 |
} |
|
477 |
||
478 |
final ChannelBinding getChannelBinding() { |
|
479 |
return channelBinding; |
|
480 |
} |
|
481 |
||
482 |
/** |
|
483 |
* Returns the mechanism oid. |
|
484 |
* |
|
485 |
* @return the Oid of this context |
|
486 |
*/ |
|
487 |
public final Oid getMech() { |
|
488 |
return (Krb5MechFactory.GSS_KRB5_MECH_OID); |
|
489 |
} |
|
490 |
||
491 |
/** |
|
492 |
* Returns the context initiator name. |
|
493 |
* |
|
494 |
* @return initiator name |
|
495 |
* @exception GSSException |
|
496 |
*/ |
|
497 |
public final GSSNameSpi getSrcName() throws GSSException { |
|
498 |
return (isInitiator()? myName : peerName); |
|
499 |
} |
|
500 |
||
501 |
/** |
|
502 |
* Returns the context acceptor. |
|
503 |
* |
|
504 |
* @return context acceptor(target) name |
|
505 |
* @exception GSSException |
|
506 |
*/ |
|
507 |
public final GSSNameSpi getTargName() throws GSSException { |
|
508 |
return (!isInitiator()? myName : peerName); |
|
509 |
} |
|
510 |
||
511 |
/** |
|
512 |
* Returns the delegated credential for the context. This |
|
513 |
* is an optional feature of contexts which not all |
|
514 |
* mechanisms will support. A context can be requested to |
|
14413
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
515 |
* support credential delegation by using the <b>CRED_DELEG</b>, |
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
516 |
* or it can request for a constrained delegation. |
2 | 517 |
* This is only valid on the acceptor side of the context. |
518 |
* @return GSSCredentialSpi object for the delegated credential |
|
519 |
* @exception GSSException |
|
520 |
* @see GSSContext#getDelegCredState |
|
521 |
*/ |
|
522 |
public final GSSCredentialSpi getDelegCred() throws GSSException { |
|
523 |
if (state != STATE_IN_PROCESS && state != STATE_DONE) |
|
524 |
throw new GSSException(GSSException.NO_CONTEXT); |
|
14413
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
525 |
if (isInitiator()) { |
2 | 526 |
throw new GSSException(GSSException.NO_CRED); |
14413
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
527 |
} |
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
528 |
tryConstrainedDelegation(); |
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
529 |
if (delegatedCred == null) { |
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
530 |
throw new GSSException(GSSException.NO_CRED); |
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
531 |
} |
2 | 532 |
return delegatedCred; |
533 |
} |
|
534 |
||
14413
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
535 |
private void tryConstrainedDelegation() { |
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
536 |
if (state != STATE_IN_PROCESS && state != STATE_DONE) { |
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
537 |
return; |
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
538 |
} |
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
539 |
// We will only try constrained delegation once (if necessary). |
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
540 |
if (!isConstrainedDelegationTried) { |
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
541 |
if (delegatedCred == null) { |
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
542 |
if (DEBUG) { |
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
543 |
System.out.println(">>> Constrained deleg from " + caller); |
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
544 |
} |
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
545 |
// The constrained delegation part. The acceptor needs to have |
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
546 |
// isInitiator=true in order to get a TGT, either earlier at |
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
547 |
// logon stage, if useSubjectCredsOnly, or now. |
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
548 |
try { |
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
549 |
delegatedCred = new Krb5ProxyCredential( |
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
550 |
Krb5InitCredential.getInstance( |
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
551 |
GSSCaller.CALLER_ACCEPT, myName, lifetime), |
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
552 |
peerName, serviceTicket); |
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
553 |
} catch (GSSException gsse) { |
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
554 |
// OK, delegatedCred is null then |
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
555 |
} |
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
556 |
} |
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
557 |
isConstrainedDelegationTried = true; |
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
558 |
} |
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
559 |
} |
2 | 560 |
/** |
561 |
* Tests if this is the initiator side of the context. |
|
562 |
* |
|
563 |
* @return boolean indicating if this is initiator (true) |
|
564 |
* or target (false) |
|
565 |
*/ |
|
566 |
public final boolean isInitiator() { |
|
567 |
return initiator; |
|
568 |
} |
|
569 |
||
570 |
/** |
|
571 |
* Tests if the context can be used for per-message service. |
|
572 |
* Context may allow the calls to the per-message service |
|
573 |
* functions before being fully established. |
|
574 |
* |
|
575 |
* @return boolean indicating if per-message methods can |
|
576 |
* be called. |
|
577 |
*/ |
|
578 |
public final boolean isProtReady() { |
|
579 |
return (state == STATE_DONE); |
|
580 |
} |
|
581 |
||
582 |
/** |
|
583 |
* Initiator context establishment call. This method may be |
|
584 |
* required to be called several times. A CONTINUE_NEEDED return |
|
585 |
* call indicates that more calls are needed after the next token |
|
586 |
* is received from the peer. |
|
587 |
* |
|
588 |
* @param is contains the token received from the peer. On the |
|
589 |
* first call it will be ignored. |
|
590 |
* @return any token required to be sent to the peer |
|
591 |
* It is responsibility of the caller |
|
592 |
* to send the token to its peer for processing. |
|
593 |
* @exception GSSException |
|
594 |
*/ |
|
595 |
public final byte[] initSecContext(InputStream is, int mechTokenSize) |
|
596 |
throws GSSException { |
|
597 |
||
598 |
byte[] retVal = null; |
|
599 |
InitialToken token = null; |
|
600 |
int errorCode = GSSException.FAILURE; |
|
601 |
if (DEBUG) { |
|
602 |
System.out.println("Entered Krb5Context.initSecContext with " + |
|
603 |
"state=" + printState(state)); |
|
604 |
} |
|
605 |
if (!isInitiator()) { |
|
606 |
throw new GSSException(GSSException.FAILURE, -1, |
|
607 |
"initSecContext on an acceptor " + |
|
608 |
"GSSContext"); |
|
609 |
} |
|
610 |
||
611 |
try { |
|
612 |
if (state == STATE_NEW) { |
|
613 |
state = STATE_IN_PROCESS; |
|
614 |
||
615 |
errorCode = GSSException.NO_CRED; |
|
616 |
||
617 |
if (myCred == null) { |
|
618 |
myCred = Krb5InitCredential.getInstance(caller, myName, |
|
619 |
GSSCredential.DEFAULT_LIFETIME); |
|
58611 | 620 |
myCred = Krb5ProxyCredential.tryImpersonation( |
621 |
caller, (Krb5InitCredential)myCred); |
|
2 | 622 |
} else if (!myCred.isInitiatorCredential()) { |
623 |
throw new GSSException(errorCode, -1, |
|
624 |
"No TGT available"); |
|
625 |
} |
|
626 |
myName = (Krb5NameElement) myCred.getName(); |
|
14413
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
627 |
final Krb5ProxyCredential second; |
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
628 |
if (myCred instanceof Krb5InitCredential) { |
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
629 |
second = null; |
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
630 |
tgt = ((Krb5InitCredential) myCred).getKrb5Credentials(); |
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
631 |
} else { |
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
632 |
second = (Krb5ProxyCredential) myCred; |
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
633 |
tgt = second.self.getKrb5Credentials(); |
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
634 |
} |
2 | 635 |
|
636 |
checkPermission(peerName.getKrb5PrincipalName().getName(), |
|
637 |
"initiate"); |
|
638 |
/* |
|
639 |
* If useSubjectCredsonly is true then |
|
640 |
* we check whether we already have the ticket |
|
641 |
* for this service in the Subject and reuse it |
|
642 |
*/ |
|
643 |
||
644 |
final AccessControlContext acc = |
|
645 |
AccessController.getContext(); |
|
646 |
||
647 |
if (GSSUtil.useSubjectCredsOnly(caller)) { |
|
648 |
KerberosTicket kerbTicket = null; |
|
649 |
try { |
|
650 |
// get service ticket from caller's subject |
|
651 |
kerbTicket = AccessController.doPrivileged( |
|
652 |
new PrivilegedExceptionAction<KerberosTicket>() { |
|
653 |
public KerberosTicket run() throws Exception { |
|
654 |
// XXX to be cleaned |
|
655 |
// highly consider just calling: |
|
656 |
// Subject.getSubject |
|
657 |
// SubjectComber.find |
|
58611 | 658 |
// instead of Krb5Util.getServiceTicket |
659 |
return Krb5Util.getServiceTicket( |
|
2942
37d9baeb7518
6578647: Undefined requesting URL in java.net.Authenticator.getPasswordAuthentication()
weijun
parents:
2
diff
changeset
|
660 |
GSSCaller.CALLER_UNKNOWN, |
2 | 661 |
// since it's useSubjectCredsOnly here, |
662 |
// don't worry about the null |
|
14413
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
663 |
second == null ? |
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
664 |
myName.getKrb5PrincipalName().getName(): |
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
665 |
second.getName().getKrb5PrincipalName().getName(), |
2 | 666 |
peerName.getKrb5PrincipalName().getName(), |
667 |
acc); |
|
668 |
}}); |
|
669 |
} catch (PrivilegedActionException e) { |
|
670 |
if (DEBUG) { |
|
671 |
System.out.println("Attempt to obtain service" |
|
672 |
+ " ticket from the subject failed!"); |
|
673 |
} |
|
674 |
} |
|
675 |
if (kerbTicket != null) { |
|
676 |
if (DEBUG) { |
|
677 |
System.out.println("Found service ticket in " + |
|
678 |
"the subject" + |
|
679 |
kerbTicket); |
|
680 |
} |
|
681 |
||
682 |
// convert Ticket to serviceCreds |
|
683 |
// XXX Should merge these two object types |
|
684 |
// avoid converting back and forth |
|
685 |
serviceCreds = Krb5Util.ticketToCreds(kerbTicket); |
|
686 |
} |
|
687 |
} |
|
688 |
if (serviceCreds == null) { |
|
689 |
// either we did not find the serviceCreds in the |
|
690 |
// Subject or useSubjectCreds is false |
|
691 |
if (DEBUG) { |
|
692 |
System.out.println("Service ticket not found in " + |
|
693 |
"the subject"); |
|
694 |
} |
|
695 |
// Get Service ticket using the Kerberos protocols |
|
14413
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
696 |
if (second == null) { |
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
697 |
serviceCreds = Credentials.acquireServiceCreds( |
2 | 698 |
peerName.getKrb5PrincipalName().getName(), |
699 |
tgt); |
|
14413
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
700 |
} else { |
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
701 |
serviceCreds = Credentials.acquireS4U2proxyCreds( |
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
702 |
peerName.getKrb5PrincipalName().getName(), |
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
703 |
second.tkt, |
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
704 |
second.getName().getKrb5PrincipalName(), |
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
705 |
tgt); |
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
706 |
} |
2 | 707 |
if (GSSUtil.useSubjectCredsOnly(caller)) { |
708 |
final Subject subject = |
|
709 |
AccessController.doPrivileged( |
|
710 |
new java.security.PrivilegedAction<Subject>() { |
|
711 |
public Subject run() { |
|
712 |
return (Subject.getSubject(acc)); |
|
713 |
} |
|
714 |
}); |
|
715 |
if (subject != null && |
|
716 |
!subject.isReadOnly()) { |
|
717 |
/* |
|
57487
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
47216
diff
changeset
|
718 |
* Store the service credentials as |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
47216
diff
changeset
|
719 |
* javax.security.auth.kerberos.KerberosTicket in |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
47216
diff
changeset
|
720 |
* the Subject. We could wait until the context is |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
47216
diff
changeset
|
721 |
* successfully established; however it is easier |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
47216
diff
changeset
|
722 |
* to do it here and there is no harm. |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
47216
diff
changeset
|
723 |
*/ |
2 | 724 |
final KerberosTicket kt = |
57487
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
47216
diff
changeset
|
725 |
Krb5Util.credsToTicket(serviceCreds); |
2 | 726 |
AccessController.doPrivileged ( |
727 |
new java.security.PrivilegedAction<Void>() { |
|
728 |
public Void run() { |
|
729 |
subject.getPrivateCredentials().add(kt); |
|
730 |
return null; |
|
731 |
} |
|
732 |
}); |
|
733 |
} else { |
|
734 |
// log it for debugging purpose |
|
735 |
if (DEBUG) { |
|
736 |
System.out.println("Subject is " + |
|
737 |
"readOnly;Kerberos Service "+ |
|
738 |
"ticket not stored"); |
|
739 |
} |
|
740 |
} |
|
741 |
} |
|
742 |
} |
|
743 |
||
744 |
errorCode = GSSException.FAILURE; |
|
745 |
token = new InitSecContextToken(this, tgt, serviceCreds); |
|
746 |
apReq = ((InitSecContextToken)token).getKrbApReq(); |
|
747 |
retVal = token.encode(); |
|
748 |
myCred = null; |
|
749 |
if (!getMutualAuthState()) { |
|
750 |
state = STATE_DONE; |
|
751 |
} |
|
752 |
if (DEBUG) { |
|
753 |
System.out.println("Created InitSecContextToken:\n"+ |
|
754 |
new HexDumpEncoder().encodeBuffer(retVal)); |
|
755 |
} |
|
756 |
} else if (state == STATE_IN_PROCESS) { |
|
757 |
// No need to write anything; |
|
758 |
// just validate the incoming token |
|
759 |
new AcceptSecContextToken(this, serviceCreds, apReq, is); |
|
760 |
apReq = null; |
|
761 |
state = STATE_DONE; |
|
762 |
} else { |
|
763 |
// XXX Use logging API? |
|
764 |
if (DEBUG) { |
|
765 |
System.out.println(state); |
|
766 |
} |
|
767 |
} |
|
768 |
} catch (KrbException e) { |
|
769 |
if (DEBUG) { |
|
770 |
e.printStackTrace(); |
|
771 |
} |
|
772 |
GSSException gssException = |
|
773 |
new GSSException(errorCode, -1, e.getMessage()); |
|
774 |
gssException.initCause(e); |
|
775 |
throw gssException; |
|
776 |
} catch (IOException e) { |
|
777 |
GSSException gssException = |
|
778 |
new GSSException(errorCode, -1, e.getMessage()); |
|
779 |
gssException.initCause(e); |
|
780 |
throw gssException; |
|
781 |
} |
|
782 |
return retVal; |
|
783 |
} |
|
784 |
||
785 |
public final boolean isEstablished() { |
|
786 |
return (state == STATE_DONE); |
|
787 |
} |
|
788 |
||
789 |
/** |
|
790 |
* Acceptor's context establishment call. This method may be |
|
791 |
* required to be called several times. A CONTINUE_NEEDED return |
|
792 |
* call indicates that more calls are needed after the next token |
|
793 |
* is received from the peer. |
|
794 |
* |
|
795 |
* @param is contains the token received from the peer. |
|
796 |
* @return any token required to be sent to the peer |
|
797 |
* It is responsibility of the caller |
|
798 |
* to send the token to its peer for processing. |
|
799 |
* @exception GSSException |
|
800 |
*/ |
|
801 |
public final byte[] acceptSecContext(InputStream is, int mechTokenSize) |
|
802 |
throws GSSException { |
|
803 |
||
804 |
byte[] retVal = null; |
|
805 |
||
806 |
if (DEBUG) { |
|
807 |
System.out.println("Entered Krb5Context.acceptSecContext with " + |
|
808 |
"state=" + printState(state)); |
|
809 |
} |
|
810 |
||
811 |
if (isInitiator()) { |
|
812 |
throw new GSSException(GSSException.FAILURE, -1, |
|
813 |
"acceptSecContext on an initiator " + |
|
814 |
"GSSContext"); |
|
815 |
} |
|
816 |
try { |
|
817 |
if (state == STATE_NEW) { |
|
818 |
state = STATE_IN_PROCESS; |
|
819 |
if (myCred == null) { |
|
820 |
myCred = Krb5AcceptCredential.getInstance(caller, myName); |
|
821 |
} else if (!myCred.isAcceptorCredential()) { |
|
822 |
throw new GSSException(GSSException.NO_CRED, -1, |
|
823 |
"No Secret Key available"); |
|
824 |
} |
|
825 |
myName = (Krb5NameElement) myCred.getName(); |
|
826 |
||
15006 | 827 |
// If there is already a bound name, check now |
828 |
if (myName != null) { |
|
829 |
Krb5MechFactory.checkAcceptCredPermission(myName, myName); |
|
830 |
} |
|
2 | 831 |
|
832 |
InitSecContextToken token = new InitSecContextToken(this, |
|
15006 | 833 |
(Krb5AcceptCredential) myCred, is); |
2 | 834 |
PrincipalName clientName = token.getKrbApReq().getClient(); |
835 |
peerName = Krb5NameElement.getInstance(clientName); |
|
15006 | 836 |
|
837 |
// If unbound, check after the bound name is found |
|
838 |
if (myName == null) { |
|
839 |
myName = Krb5NameElement.getInstance( |
|
840 |
token.getKrbApReq().getCreds().getServer()); |
|
841 |
Krb5MechFactory.checkAcceptCredPermission(myName, myName); |
|
842 |
} |
|
843 |
||
2 | 844 |
if (getMutualAuthState()) { |
845 |
retVal = new AcceptSecContextToken(this, |
|
846 |
token.getKrbApReq()).encode(); |
|
847 |
} |
|
14413
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
10697
diff
changeset
|
848 |
serviceTicket = token.getKrbApReq().getCreds().getTicket(); |
2 | 849 |
myCred = null; |
850 |
state = STATE_DONE; |
|
851 |
} else { |
|
852 |
// XXX Use logging API? |
|
853 |
if (DEBUG) { |
|
854 |
System.out.println(state); |
|
855 |
} |
|
856 |
} |
|
857 |
} catch (KrbException e) { |
|
858 |
GSSException gssException = |
|
859 |
new GSSException(GSSException.FAILURE, -1, e.getMessage()); |
|
860 |
gssException.initCause(e); |
|
861 |
throw gssException; |
|
862 |
} catch (IOException e) { |
|
863 |
if (DEBUG) { |
|
864 |
e.printStackTrace(); |
|
865 |
} |
|
866 |
GSSException gssException = |
|
867 |
new GSSException(GSSException.FAILURE, -1, e.getMessage()); |
|
868 |
gssException.initCause(e); |
|
869 |
throw gssException; |
|
870 |
} |
|
871 |
||
872 |
return retVal; |
|
873 |
} |
|
874 |
||
875 |
/** |
|
21278 | 876 |
* Queries the context for largest data size to accommodate |
2 | 877 |
* the specified protection and be <= maxTokSize. |
878 |
* |
|
879 |
* @param qop the quality of protection that the context will be |
|
880 |
* asked to provide. |
|
881 |
* @param confReq a flag indicating whether confidentiality will be |
|
882 |
* requested or not |
|
883 |
* @param outputSize the maximum size of the output token |
|
884 |
* @return the maximum size for the input message that can be |
|
885 |
* provided to the wrap() method in order to guarantee that these |
|
886 |
* requirements are met. |
|
887 |
* @throws GSSException |
|
888 |
*/ |
|
889 |
public final int getWrapSizeLimit(int qop, boolean confReq, |
|
890 |
int maxTokSize) throws GSSException { |
|
891 |
||
892 |
int retVal = 0; |
|
893 |
if (cipherHelper.getProto() == 0) { |
|
894 |
retVal = WrapToken.getSizeLimit(qop, confReq, maxTokSize, |
|
895 |
getCipherHelper(null)); |
|
896 |
} else if (cipherHelper.getProto() == 1) { |
|
897 |
retVal = WrapToken_v2.getSizeLimit(qop, confReq, maxTokSize, |
|
898 |
getCipherHelper(null)); |
|
899 |
} |
|
900 |
return retVal; |
|
901 |
} |
|
902 |
||
903 |
/* |
|
904 |
* Per-message calls depend on the sequence number. The sequence number |
|
905 |
* synchronization is at a finer granularity because wrap and getMIC |
|
906 |
* care about the local sequence number (mySeqNumber) where are unwrap |
|
907 |
* and verifyMIC care about the remote sequence number (peerSeqNumber). |
|
908 |
*/ |
|
909 |
||
31538
0981099a3e54
8130022: Use Java-style array declarations consistently
igerasim
parents:
27039
diff
changeset
|
910 |
public final byte[] wrap(byte[] inBuf, int offset, int len, |
2 | 911 |
MessageProp msgProp) throws GSSException { |
912 |
if (DEBUG) { |
|
913 |
System.out.println("Krb5Context.wrap: data=[" |
|
914 |
+ getHexBytes(inBuf, offset, len) |
|
915 |
+ "]"); |
|
916 |
} |
|
917 |
||
918 |
if (state != STATE_DONE) |
|
919 |
throw new GSSException(GSSException.NO_CONTEXT, -1, |
|
920 |
"Wrap called in invalid state!"); |
|
921 |
||
922 |
byte[] encToken = null; |
|
923 |
try { |
|
924 |
if (cipherHelper.getProto() == 0) { |
|
925 |
WrapToken token = |
|
926 |
new WrapToken(this, msgProp, inBuf, offset, len); |
|
927 |
encToken = token.encode(); |
|
928 |
} else if (cipherHelper.getProto() == 1) { |
|
929 |
WrapToken_v2 token = |
|
930 |
new WrapToken_v2(this, msgProp, inBuf, offset, len); |
|
931 |
encToken = token.encode(); |
|
932 |
} |
|
933 |
if (DEBUG) { |
|
934 |
System.out.println("Krb5Context.wrap: token=[" |
|
935 |
+ getHexBytes(encToken, 0, encToken.length) |
|
936 |
+ "]"); |
|
937 |
} |
|
938 |
return encToken; |
|
939 |
} catch (IOException e) { |
|
940 |
encToken = null; |
|
941 |
GSSException gssException = |
|
942 |
new GSSException(GSSException.FAILURE, -1, e.getMessage()); |
|
943 |
gssException.initCause(e); |
|
944 |
throw gssException; |
|
945 |
} |
|
946 |
} |
|
947 |
||
31538
0981099a3e54
8130022: Use Java-style array declarations consistently
igerasim
parents:
27039
diff
changeset
|
948 |
public final int wrap(byte[] inBuf, int inOffset, int len, |
2 | 949 |
byte[] outBuf, int outOffset, |
950 |
MessageProp msgProp) throws GSSException { |
|
951 |
||
952 |
if (state != STATE_DONE) |
|
953 |
throw new GSSException(GSSException.NO_CONTEXT, -1, |
|
954 |
"Wrap called in invalid state!"); |
|
955 |
||
956 |
int retVal = 0; |
|
957 |
try { |
|
958 |
if (cipherHelper.getProto() == 0) { |
|
959 |
WrapToken token = |
|
960 |
new WrapToken(this, msgProp, inBuf, inOffset, len); |
|
961 |
retVal = token.encode(outBuf, outOffset); |
|
962 |
} else if (cipherHelper.getProto() == 1) { |
|
963 |
WrapToken_v2 token = |
|
964 |
new WrapToken_v2(this, msgProp, inBuf, inOffset, len); |
|
965 |
retVal = token.encode(outBuf, outOffset); |
|
966 |
} |
|
967 |
if (DEBUG) { |
|
968 |
System.out.println("Krb5Context.wrap: token=[" |
|
969 |
+ getHexBytes(outBuf, outOffset, retVal) |
|
970 |
+ "]"); |
|
971 |
} |
|
972 |
return retVal; |
|
973 |
} catch (IOException e) { |
|
974 |
retVal = 0; |
|
975 |
GSSException gssException = |
|
976 |
new GSSException(GSSException.FAILURE, -1, e.getMessage()); |
|
977 |
gssException.initCause(e); |
|
978 |
throw gssException; |
|
979 |
} |
|
980 |
} |
|
981 |
||
31538
0981099a3e54
8130022: Use Java-style array declarations consistently
igerasim
parents:
27039
diff
changeset
|
982 |
public final void wrap(byte[] inBuf, int offset, int len, |
2 | 983 |
OutputStream os, MessageProp msgProp) |
984 |
throws GSSException { |
|
985 |
||
986 |
if (state != STATE_DONE) |
|
987 |
throw new GSSException(GSSException.NO_CONTEXT, -1, |
|
988 |
"Wrap called in invalid state!"); |
|
989 |
||
990 |
byte[] encToken = null; |
|
991 |
try { |
|
992 |
if (cipherHelper.getProto() == 0) { |
|
993 |
WrapToken token = |
|
994 |
new WrapToken(this, msgProp, inBuf, offset, len); |
|
995 |
token.encode(os); |
|
996 |
if (DEBUG) { |
|
997 |
encToken = token.encode(); |
|
998 |
} |
|
999 |
} else if (cipherHelper.getProto() == 1) { |
|
1000 |
WrapToken_v2 token = |
|
1001 |
new WrapToken_v2(this, msgProp, inBuf, offset, len); |
|
1002 |
token.encode(os); |
|
1003 |
if (DEBUG) { |
|
1004 |
encToken = token.encode(); |
|
1005 |
} |
|
1006 |
} |
|
1007 |
} catch (IOException e) { |
|
1008 |
GSSException gssException = |
|
1009 |
new GSSException(GSSException.FAILURE, -1, e.getMessage()); |
|
1010 |
gssException.initCause(e); |
|
1011 |
throw gssException; |
|
1012 |
} |
|
1013 |
||
1014 |
if (DEBUG) { |
|
1015 |
System.out.println("Krb5Context.wrap: token=[" |
|
1016 |
+ getHexBytes(encToken, 0, encToken.length) |
|
1017 |
+ "]"); |
|
1018 |
} |
|
1019 |
} |
|
1020 |
||
1021 |
public final void wrap(InputStream is, OutputStream os, |
|
1022 |
MessageProp msgProp) throws GSSException { |
|
1023 |
||
1024 |
byte[] data; |
|
1025 |
try { |
|
1026 |
data = new byte[is.available()]; |
|
1027 |
is.read(data); |
|
1028 |
} catch (IOException e) { |
|
1029 |
GSSException gssException = |
|
1030 |
new GSSException(GSSException.FAILURE, -1, e.getMessage()); |
|
1031 |
gssException.initCause(e); |
|
1032 |
throw gssException; |
|
1033 |
} |
|
1034 |
wrap(data, 0, data.length, os, msgProp); |
|
1035 |
} |
|
1036 |
||
31538
0981099a3e54
8130022: Use Java-style array declarations consistently
igerasim
parents:
27039
diff
changeset
|
1037 |
public final byte[] unwrap(byte[] inBuf, int offset, int len, |
2 | 1038 |
MessageProp msgProp) |
1039 |
throws GSSException { |
|
1040 |
||
1041 |
if (DEBUG) { |
|
1042 |
System.out.println("Krb5Context.unwrap: token=[" |
|
1043 |
+ getHexBytes(inBuf, offset, len) |
|
1044 |
+ "]"); |
|
1045 |
} |
|
1046 |
||
1047 |
if (state != STATE_DONE) { |
|
1048 |
throw new GSSException(GSSException.NO_CONTEXT, -1, |
|
1049 |
" Unwrap called in invalid state!"); |
|
1050 |
} |
|
1051 |
||
1052 |
byte[] data = null; |
|
1053 |
if (cipherHelper.getProto() == 0) { |
|
1054 |
WrapToken token = |
|
1055 |
new WrapToken(this, inBuf, offset, len, msgProp); |
|
1056 |
data = token.getData(); |
|
1057 |
setSequencingAndReplayProps(token, msgProp); |
|
1058 |
} else if (cipherHelper.getProto() == 1) { |
|
1059 |
WrapToken_v2 token = |
|
1060 |
new WrapToken_v2(this, inBuf, offset, len, msgProp); |
|
1061 |
data = token.getData(); |
|
1062 |
setSequencingAndReplayProps(token, msgProp); |
|
1063 |
} |
|
1064 |
||
1065 |
if (DEBUG) { |
|
1066 |
System.out.println("Krb5Context.unwrap: data=[" |
|
1067 |
+ getHexBytes(data, 0, data.length) |
|
1068 |
+ "]"); |
|
1069 |
} |
|
1070 |
||
1071 |
return data; |
|
1072 |
} |
|
1073 |
||
31538
0981099a3e54
8130022: Use Java-style array declarations consistently
igerasim
parents:
27039
diff
changeset
|
1074 |
public final int unwrap(byte[] inBuf, int inOffset, int len, |
2 | 1075 |
byte[] outBuf, int outOffset, |
1076 |
MessageProp msgProp) throws GSSException { |
|
1077 |
||
1078 |
if (state != STATE_DONE) |
|
1079 |
throw new GSSException(GSSException.NO_CONTEXT, -1, |
|
1080 |
"Unwrap called in invalid state!"); |
|
1081 |
||
1082 |
if (cipherHelper.getProto() == 0) { |
|
1083 |
WrapToken token = |
|
1084 |
new WrapToken(this, inBuf, inOffset, len, msgProp); |
|
1085 |
len = token.getData(outBuf, outOffset); |
|
1086 |
setSequencingAndReplayProps(token, msgProp); |
|
1087 |
} else if (cipherHelper.getProto() == 1) { |
|
1088 |
WrapToken_v2 token = |
|
1089 |
new WrapToken_v2(this, inBuf, inOffset, len, msgProp); |
|
1090 |
len = token.getData(outBuf, outOffset); |
|
1091 |
setSequencingAndReplayProps(token, msgProp); |
|
1092 |
} |
|
1093 |
return len; |
|
1094 |
} |
|
1095 |
||
1096 |
public final int unwrap(InputStream is, |
|
1097 |
byte[] outBuf, int outOffset, |
|
1098 |
MessageProp msgProp) throws GSSException { |
|
1099 |
||
1100 |
if (state != STATE_DONE) |
|
1101 |
throw new GSSException(GSSException.NO_CONTEXT, -1, |
|
1102 |
"Unwrap called in invalid state!"); |
|
1103 |
||
1104 |
int len = 0; |
|
1105 |
if (cipherHelper.getProto() == 0) { |
|
1106 |
WrapToken token = new WrapToken(this, is, msgProp); |
|
1107 |
len = token.getData(outBuf, outOffset); |
|
1108 |
setSequencingAndReplayProps(token, msgProp); |
|
1109 |
} else if (cipherHelper.getProto() == 1) { |
|
1110 |
WrapToken_v2 token = new WrapToken_v2(this, is, msgProp); |
|
1111 |
len = token.getData(outBuf, outOffset); |
|
1112 |
setSequencingAndReplayProps(token, msgProp); |
|
1113 |
} |
|
1114 |
return len; |
|
1115 |
} |
|
1116 |
||
1117 |
||
1118 |
public final void unwrap(InputStream is, OutputStream os, |
|
1119 |
MessageProp msgProp) throws GSSException { |
|
1120 |
||
1121 |
if (state != STATE_DONE) |
|
1122 |
throw new GSSException(GSSException.NO_CONTEXT, -1, |
|
1123 |
"Unwrap called in invalid state!"); |
|
1124 |
||
1125 |
byte[] data = null; |
|
1126 |
if (cipherHelper.getProto() == 0) { |
|
1127 |
WrapToken token = new WrapToken(this, is, msgProp); |
|
1128 |
data = token.getData(); |
|
1129 |
setSequencingAndReplayProps(token, msgProp); |
|
1130 |
} else if (cipherHelper.getProto() == 1) { |
|
1131 |
WrapToken_v2 token = new WrapToken_v2(this, is, msgProp); |
|
1132 |
data = token.getData(); |
|
1133 |
setSequencingAndReplayProps(token, msgProp); |
|
1134 |
} |
|
1135 |
||
1136 |
try { |
|
1137 |
os.write(data); |
|
1138 |
} catch (IOException e) { |
|
1139 |
GSSException gssException = |
|
1140 |
new GSSException(GSSException.FAILURE, -1, e.getMessage()); |
|
1141 |
gssException.initCause(e); |
|
1142 |
throw gssException; |
|
1143 |
} |
|
1144 |
} |
|
1145 |
||
31538
0981099a3e54
8130022: Use Java-style array declarations consistently
igerasim
parents:
27039
diff
changeset
|
1146 |
public final byte[] getMIC(byte[] inMsg, int offset, int len, |
2 | 1147 |
MessageProp msgProp) |
1148 |
throws GSSException { |
|
1149 |
||
1150 |
byte[] micToken = null; |
|
1151 |
try { |
|
1152 |
if (cipherHelper.getProto() == 0) { |
|
1153 |
MicToken token = |
|
1154 |
new MicToken(this, msgProp, inMsg, offset, len); |
|
1155 |
micToken = token.encode(); |
|
1156 |
} else if (cipherHelper.getProto() == 1) { |
|
1157 |
MicToken_v2 token = |
|
1158 |
new MicToken_v2(this, msgProp, inMsg, offset, len); |
|
1159 |
micToken = token.encode(); |
|
1160 |
} |
|
1161 |
return micToken; |
|
1162 |
} catch (IOException e) { |
|
1163 |
micToken = null; |
|
1164 |
GSSException gssException = |
|
1165 |
new GSSException(GSSException.FAILURE, -1, e.getMessage()); |
|
1166 |
gssException.initCause(e); |
|
1167 |
throw gssException; |
|
1168 |
} |
|
1169 |
} |
|
1170 |
||
31538
0981099a3e54
8130022: Use Java-style array declarations consistently
igerasim
parents:
27039
diff
changeset
|
1171 |
private int getMIC(byte[] inMsg, int offset, int len, |
2 | 1172 |
byte[] outBuf, int outOffset, |
1173 |
MessageProp msgProp) |
|
1174 |
throws GSSException { |
|
1175 |
||
1176 |
int retVal = 0; |
|
1177 |
try { |
|
1178 |
if (cipherHelper.getProto() == 0) { |
|
1179 |
MicToken token = |
|
1180 |
new MicToken(this, msgProp, inMsg, offset, len); |
|
1181 |
retVal = token.encode(outBuf, outOffset); |
|
1182 |
} else if (cipherHelper.getProto() == 1) { |
|
1183 |
MicToken_v2 token = |
|
1184 |
new MicToken_v2(this, msgProp, inMsg, offset, len); |
|
1185 |
retVal = token.encode(outBuf, outOffset); |
|
1186 |
} |
|
1187 |
return retVal; |
|
1188 |
} catch (IOException e) { |
|
1189 |
retVal = 0; |
|
1190 |
GSSException gssException = |
|
1191 |
new GSSException(GSSException.FAILURE, -1, e.getMessage()); |
|
1192 |
gssException.initCause(e); |
|
1193 |
throw gssException; |
|
1194 |
} |
|
1195 |
} |
|
1196 |
||
1197 |
/* |
|
1198 |
* Checksum calculation requires a byte[]. Hence might as well pass |
|
1199 |
* a byte[] into the MicToken constructor. However, writing the |
|
1200 |
* token can be optimized for cases where the application passed in |
|
1201 |
* an OutputStream. |
|
1202 |
*/ |
|
1203 |
||
1204 |
private void getMIC(byte[] inMsg, int offset, int len, |
|
1205 |
OutputStream os, MessageProp msgProp) |
|
1206 |
throws GSSException { |
|
1207 |
||
1208 |
try { |
|
1209 |
if (cipherHelper.getProto() == 0) { |
|
1210 |
MicToken token = |
|
1211 |
new MicToken(this, msgProp, inMsg, offset, len); |
|
1212 |
token.encode(os); |
|
1213 |
} else if (cipherHelper.getProto() == 1) { |
|
1214 |
MicToken_v2 token = |
|
1215 |
new MicToken_v2(this, msgProp, inMsg, offset, len); |
|
1216 |
token.encode(os); |
|
1217 |
} |
|
1218 |
} catch (IOException e) { |
|
1219 |
GSSException gssException = |
|
1220 |
new GSSException(GSSException.FAILURE, -1, e.getMessage()); |
|
1221 |
gssException.initCause(e); |
|
1222 |
throw gssException; |
|
1223 |
} |
|
1224 |
} |
|
1225 |
||
1226 |
public final void getMIC(InputStream is, OutputStream os, |
|
1227 |
MessageProp msgProp) throws GSSException { |
|
1228 |
byte[] data; |
|
1229 |
try { |
|
1230 |
data = new byte[is.available()]; |
|
1231 |
is.read(data); |
|
1232 |
} catch (IOException e) { |
|
1233 |
GSSException gssException = |
|
1234 |
new GSSException(GSSException.FAILURE, -1, e.getMessage()); |
|
1235 |
gssException.initCause(e); |
|
1236 |
throw gssException; |
|
1237 |
} |
|
1238 |
getMIC(data, 0, data.length, os, msgProp); |
|
1239 |
} |
|
1240 |
||
31538
0981099a3e54
8130022: Use Java-style array declarations consistently
igerasim
parents:
27039
diff
changeset
|
1241 |
public final void verifyMIC(byte[] inTok, int tokOffset, int tokLen, |
2 | 1242 |
byte[] inMsg, int msgOffset, int msgLen, |
1243 |
MessageProp msgProp) |
|
1244 |
throws GSSException { |
|
1245 |
||
1246 |
if (cipherHelper.getProto() == 0) { |
|
1247 |
MicToken token = |
|
1248 |
new MicToken(this, inTok, tokOffset, tokLen, msgProp); |
|
1249 |
token.verify(inMsg, msgOffset, msgLen); |
|
1250 |
setSequencingAndReplayProps(token, msgProp); |
|
1251 |
} else if (cipherHelper.getProto() == 1) { |
|
1252 |
MicToken_v2 token = |
|
1253 |
new MicToken_v2(this, inTok, tokOffset, tokLen, msgProp); |
|
1254 |
token.verify(inMsg, msgOffset, msgLen); |
|
1255 |
setSequencingAndReplayProps(token, msgProp); |
|
1256 |
} |
|
1257 |
} |
|
1258 |
||
1259 |
private void verifyMIC(InputStream is, |
|
1260 |
byte[] inMsg, int msgOffset, int msgLen, |
|
1261 |
MessageProp msgProp) |
|
1262 |
throws GSSException { |
|
1263 |
||
1264 |
if (cipherHelper.getProto() == 0) { |
|
1265 |
MicToken token = new MicToken(this, is, msgProp); |
|
1266 |
token.verify(inMsg, msgOffset, msgLen); |
|
1267 |
setSequencingAndReplayProps(token, msgProp); |
|
1268 |
} else if (cipherHelper.getProto() == 1) { |
|
1269 |
MicToken_v2 token = new MicToken_v2(this, is, msgProp); |
|
1270 |
token.verify(inMsg, msgOffset, msgLen); |
|
1271 |
setSequencingAndReplayProps(token, msgProp); |
|
1272 |
} |
|
1273 |
} |
|
1274 |
||
1275 |
public final void verifyMIC(InputStream is, InputStream msgStr, |
|
1276 |
MessageProp mProp) throws GSSException { |
|
1277 |
byte[] msg; |
|
1278 |
try { |
|
1279 |
msg = new byte[msgStr.available()]; |
|
1280 |
msgStr.read(msg); |
|
1281 |
} catch (IOException e) { |
|
1282 |
GSSException gssException = |
|
1283 |
new GSSException(GSSException.FAILURE, -1, e.getMessage()); |
|
1284 |
gssException.initCause(e); |
|
1285 |
throw gssException; |
|
1286 |
} |
|
1287 |
verifyMIC(is, msg, 0, msg.length, mProp); |
|
1288 |
} |
|
1289 |
||
1290 |
/** |
|
1291 |
* Produces a token representing this context. After this call |
|
1292 |
* the context will no longer be usable until an import is |
|
1293 |
* performed on the returned token. |
|
1294 |
* |
|
1295 |
* @param os the output token will be written to this stream |
|
1296 |
* @exception GSSException |
|
1297 |
*/ |
|
31538
0981099a3e54
8130022: Use Java-style array declarations consistently
igerasim
parents:
27039
diff
changeset
|
1298 |
public final byte[] export() throws GSSException { |
2 | 1299 |
throw new GSSException(GSSException.UNAVAILABLE, -1, |
1300 |
"GSS Export Context not available"); |
|
1301 |
} |
|
1302 |
||
1303 |
/** |
|
1304 |
* Releases context resources and terminates the |
|
1305 |
* context between 2 peer. |
|
1306 |
* |
|
1307 |
* @exception GSSException with major codes NO_CONTEXT, FAILURE. |
|
1308 |
*/ |
|
1309 |
||
1310 |
public final void dispose() throws GSSException { |
|
1311 |
state = STATE_DELETED; |
|
1312 |
delegatedCred = null; |
|
25661
929c829a8400
8043071: Expose session key and KRB_CRED through extended GSS-API
weijun
parents:
24969
diff
changeset
|
1313 |
tgt = null; |
929c829a8400
8043071: Expose session key and KRB_CRED through extended GSS-API
weijun
parents:
24969
diff
changeset
|
1314 |
serviceCreds = null; |
929c829a8400
8043071: Expose session key and KRB_CRED through extended GSS-API
weijun
parents:
24969
diff
changeset
|
1315 |
key = null; |
2 | 1316 |
} |
1317 |
||
1318 |
public final Provider getProvider() { |
|
1319 |
return Krb5MechFactory.PROVIDER; |
|
1320 |
} |
|
1321 |
||
1322 |
/** |
|
1323 |
* Sets replay and sequencing information for a message token received |
|
1324 |
* form the peer. |
|
1325 |
*/ |
|
1326 |
private void setSequencingAndReplayProps(MessageToken token, |
|
1327 |
MessageProp prop) { |
|
1328 |
if (replayDetState || sequenceDetState) { |
|
1329 |
int seqNum = token.getSequenceNumber(); |
|
1330 |
peerTokenTracker.getProps(seqNum, prop); |
|
1331 |
} |
|
1332 |
} |
|
1333 |
||
1334 |
/** |
|
1335 |
* Sets replay and sequencing information for a message token received |
|
1336 |
* form the peer. |
|
1337 |
*/ |
|
1338 |
private void setSequencingAndReplayProps(MessageToken_v2 token, |
|
1339 |
MessageProp prop) { |
|
1340 |
if (replayDetState || sequenceDetState) { |
|
1341 |
int seqNum = token.getSequenceNumber(); |
|
1342 |
peerTokenTracker.getProps(seqNum, prop); |
|
1343 |
} |
|
1344 |
} |
|
1345 |
||
1346 |
private void checkPermission(String principal, String action) { |
|
1347 |
SecurityManager sm = System.getSecurityManager(); |
|
1348 |
if (sm != null) { |
|
1349 |
ServicePermission perm = |
|
1350 |
new ServicePermission(principal, action); |
|
1351 |
sm.checkPermission(perm); |
|
1352 |
} |
|
1353 |
} |
|
1354 |
||
1355 |
private static String getHexBytes(byte[] bytes, int pos, int len) { |
|
1356 |
||
24969
afa6934dd8e8
8041679: Replace uses of StringBuffer with StringBuilder within core library classes
psandoz
parents:
23010
diff
changeset
|
1357 |
StringBuilder sb = new StringBuilder(); |
2 | 1358 |
for (int i = 0; i < len; i++) { |
1359 |
||
1360 |
int b1 = (bytes[i]>>4) & 0x0f; |
|
1361 |
int b2 = bytes[i] & 0x0f; |
|
1362 |
||
1363 |
sb.append(Integer.toHexString(b1)); |
|
1364 |
sb.append(Integer.toHexString(b2)); |
|
1365 |
sb.append(' '); |
|
1366 |
} |
|
1367 |
return sb.toString(); |
|
1368 |
} |
|
1369 |
||
1370 |
private static String printState(int state) { |
|
1371 |
switch (state) { |
|
1372 |
case STATE_NEW: |
|
1373 |
return ("STATE_NEW"); |
|
1374 |
case STATE_IN_PROCESS: |
|
1375 |
return ("STATE_IN_PROCESS"); |
|
1376 |
case STATE_DONE: |
|
1377 |
return ("STATE_DONE"); |
|
1378 |
case STATE_DELETED: |
|
1379 |
return ("STATE_DELETED"); |
|
1380 |
default: |
|
1381 |
return ("Unknown state " + state); |
|
1382 |
} |
|
1383 |
} |
|
1384 |
||
2942
37d9baeb7518
6578647: Undefined requesting URL in java.net.Authenticator.getPasswordAuthentication()
weijun
parents:
2
diff
changeset
|
1385 |
GSSCaller getCaller() { |
2 | 1386 |
// Currently used by InitialToken only |
1387 |
return caller; |
|
1388 |
} |
|
3482
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2942
diff
changeset
|
1389 |
|
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2942
diff
changeset
|
1390 |
/** |
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2942
diff
changeset
|
1391 |
* The session key returned by inquireSecContext(KRB5_INQ_SSPI_SESSION_KEY) |
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2942
diff
changeset
|
1392 |
*/ |
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2942
diff
changeset
|
1393 |
static class KerberosSessionKey implements Key { |
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5506
diff
changeset
|
1394 |
private static final long serialVersionUID = 699307378954123869L; |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
5506
diff
changeset
|
1395 |
|
58510
23a06a5eeddd
8231368: Suppress warnings on non-serializable non-transient instance fields in java.security.jgss
darcy
parents:
57487
diff
changeset
|
1396 |
@SuppressWarnings("serial") // Not statically typed as Serializable |
3483
a16fce1820ef
6821190: more InquireType values for ExtendedGSSContext
weijun
parents:
3482
diff
changeset
|
1397 |
private final EncryptionKey key; |
3482
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2942
diff
changeset
|
1398 |
|
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2942
diff
changeset
|
1399 |
KerberosSessionKey(EncryptionKey key) { |
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2942
diff
changeset
|
1400 |
this.key = key; |
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2942
diff
changeset
|
1401 |
} |
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2942
diff
changeset
|
1402 |
|
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2942
diff
changeset
|
1403 |
@Override |
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2942
diff
changeset
|
1404 |
public String getAlgorithm() { |
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2942
diff
changeset
|
1405 |
return Integer.toString(key.getEType()); |
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2942
diff
changeset
|
1406 |
} |
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2942
diff
changeset
|
1407 |
|
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2942
diff
changeset
|
1408 |
@Override |
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2942
diff
changeset
|
1409 |
public String getFormat() { |
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2942
diff
changeset
|
1410 |
return "RAW"; |
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2942
diff
changeset
|
1411 |
} |
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2942
diff
changeset
|
1412 |
|
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2942
diff
changeset
|
1413 |
@Override |
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2942
diff
changeset
|
1414 |
public byte[] getEncoded() { |
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2942
diff
changeset
|
1415 |
return key.getBytes().clone(); |
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2942
diff
changeset
|
1416 |
} |
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2942
diff
changeset
|
1417 |
|
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2942
diff
changeset
|
1418 |
@Override |
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2942
diff
changeset
|
1419 |
public String toString() { |
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2942
diff
changeset
|
1420 |
return "Kerberos session key: etype: " + key.getEType() + "\n" + |
34687
d302ed125dc9
8144995: Move sun.misc.HexDumpEncoder to sun.security.util
chegar
parents:
31538
diff
changeset
|
1421 |
new HexDumpEncoder().encodeBuffer(key.getBytes()); |
3482
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2942
diff
changeset
|
1422 |
} |
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2942
diff
changeset
|
1423 |
} |
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2942
diff
changeset
|
1424 |
|
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2942
diff
changeset
|
1425 |
/** |
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2942
diff
changeset
|
1426 |
* Return the mechanism-specific attribute associated with {@code type}. |
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2942
diff
changeset
|
1427 |
*/ |
26629
3b9ed8175488
8042900: Allow com.sun.security.jgss to be in different module than org.ietf.jgss
weijun
parents:
25859
diff
changeset
|
1428 |
public Object inquireSecContext(String type) |
3482
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2942
diff
changeset
|
1429 |
throws GSSException { |
3483
a16fce1820ef
6821190: more InquireType values for ExtendedGSSContext
weijun
parents:
3482
diff
changeset
|
1430 |
if (!isEstablished()) { |
a16fce1820ef
6821190: more InquireType values for ExtendedGSSContext
weijun
parents:
3482
diff
changeset
|
1431 |
throw new GSSException(GSSException.NO_CONTEXT, -1, |
a16fce1820ef
6821190: more InquireType values for ExtendedGSSContext
weijun
parents:
3482
diff
changeset
|
1432 |
"Security context not established."); |
a16fce1820ef
6821190: more InquireType values for ExtendedGSSContext
weijun
parents:
3482
diff
changeset
|
1433 |
} |
a16fce1820ef
6821190: more InquireType values for ExtendedGSSContext
weijun
parents:
3482
diff
changeset
|
1434 |
switch (type) { |
26629
3b9ed8175488
8042900: Allow com.sun.security.jgss to be in different module than org.ietf.jgss
weijun
parents:
25859
diff
changeset
|
1435 |
case "KRB5_GET_SESSION_KEY": |
3482
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2942
diff
changeset
|
1436 |
return new KerberosSessionKey(key); |
26629
3b9ed8175488
8042900: Allow com.sun.security.jgss to be in different module than org.ietf.jgss
weijun
parents:
25859
diff
changeset
|
1437 |
case "KRB5_GET_SESSION_KEY_EX": |
25661
929c829a8400
8043071: Expose session key and KRB_CRED through extended GSS-API
weijun
parents:
24969
diff
changeset
|
1438 |
return new javax.security.auth.kerberos.EncryptionKey( |
929c829a8400
8043071: Expose session key and KRB_CRED through extended GSS-API
weijun
parents:
24969
diff
changeset
|
1439 |
key.getBytes(), key.getEType()); |
26629
3b9ed8175488
8042900: Allow com.sun.security.jgss to be in different module than org.ietf.jgss
weijun
parents:
25859
diff
changeset
|
1440 |
case "KRB5_GET_TKT_FLAGS": |
3483
a16fce1820ef
6821190: more InquireType values for ExtendedGSSContext
weijun
parents:
3482
diff
changeset
|
1441 |
return tktFlags.clone(); |
26629
3b9ed8175488
8042900: Allow com.sun.security.jgss to be in different module than org.ietf.jgss
weijun
parents:
25859
diff
changeset
|
1442 |
case "KRB5_GET_AUTHZ_DATA": |
3483
a16fce1820ef
6821190: more InquireType values for ExtendedGSSContext
weijun
parents:
3482
diff
changeset
|
1443 |
if (isInitiator()) { |
a16fce1820ef
6821190: more InquireType values for ExtendedGSSContext
weijun
parents:
3482
diff
changeset
|
1444 |
throw new GSSException(GSSException.UNAVAILABLE, -1, |
a16fce1820ef
6821190: more InquireType values for ExtendedGSSContext
weijun
parents:
3482
diff
changeset
|
1445 |
"AuthzData not available on initiator side."); |
a16fce1820ef
6821190: more InquireType values for ExtendedGSSContext
weijun
parents:
3482
diff
changeset
|
1446 |
} else { |
26629
3b9ed8175488
8042900: Allow com.sun.security.jgss to be in different module than org.ietf.jgss
weijun
parents:
25859
diff
changeset
|
1447 |
return authzData; |
3483
a16fce1820ef
6821190: more InquireType values for ExtendedGSSContext
weijun
parents:
3482
diff
changeset
|
1448 |
} |
26629
3b9ed8175488
8042900: Allow com.sun.security.jgss to be in different module than org.ietf.jgss
weijun
parents:
25859
diff
changeset
|
1449 |
case "KRB5_GET_AUTHTIME": |
3483
a16fce1820ef
6821190: more InquireType values for ExtendedGSSContext
weijun
parents:
3482
diff
changeset
|
1450 |
return authTime; |
26629
3b9ed8175488
8042900: Allow com.sun.security.jgss to be in different module than org.ietf.jgss
weijun
parents:
25859
diff
changeset
|
1451 |
case "KRB5_GET_KRB_CRED": |
25661
929c829a8400
8043071: Expose session key and KRB_CRED through extended GSS-API
weijun
parents:
24969
diff
changeset
|
1452 |
if (!isInitiator()) { |
929c829a8400
8043071: Expose session key and KRB_CRED through extended GSS-API
weijun
parents:
24969
diff
changeset
|
1453 |
throw new GSSException(GSSException.UNAVAILABLE, -1, |
929c829a8400
8043071: Expose session key and KRB_CRED through extended GSS-API
weijun
parents:
24969
diff
changeset
|
1454 |
"KRB_CRED not available on acceptor side."); |
929c829a8400
8043071: Expose session key and KRB_CRED through extended GSS-API
weijun
parents:
24969
diff
changeset
|
1455 |
} |
929c829a8400
8043071: Expose session key and KRB_CRED through extended GSS-API
weijun
parents:
24969
diff
changeset
|
1456 |
KerberosPrincipal sender = new KerberosPrincipal( |
929c829a8400
8043071: Expose session key and KRB_CRED through extended GSS-API
weijun
parents:
24969
diff
changeset
|
1457 |
myName.getKrb5PrincipalName().getName()); |
929c829a8400
8043071: Expose session key and KRB_CRED through extended GSS-API
weijun
parents:
24969
diff
changeset
|
1458 |
KerberosPrincipal recipient = new KerberosPrincipal( |
929c829a8400
8043071: Expose session key and KRB_CRED through extended GSS-API
weijun
parents:
24969
diff
changeset
|
1459 |
peerName.getKrb5PrincipalName().getName()); |
929c829a8400
8043071: Expose session key and KRB_CRED through extended GSS-API
weijun
parents:
24969
diff
changeset
|
1460 |
try { |
929c829a8400
8043071: Expose session key and KRB_CRED through extended GSS-API
weijun
parents:
24969
diff
changeset
|
1461 |
byte[] krbCred = new KrbCred(tgt, serviceCreds, key) |
929c829a8400
8043071: Expose session key and KRB_CRED through extended GSS-API
weijun
parents:
24969
diff
changeset
|
1462 |
.getMessage(); |
929c829a8400
8043071: Expose session key and KRB_CRED through extended GSS-API
weijun
parents:
24969
diff
changeset
|
1463 |
return new KerberosCredMessage( |
929c829a8400
8043071: Expose session key and KRB_CRED through extended GSS-API
weijun
parents:
24969
diff
changeset
|
1464 |
sender, recipient, krbCred); |
929c829a8400
8043071: Expose session key and KRB_CRED through extended GSS-API
weijun
parents:
24969
diff
changeset
|
1465 |
} catch (KrbException | IOException e) { |
929c829a8400
8043071: Expose session key and KRB_CRED through extended GSS-API
weijun
parents:
24969
diff
changeset
|
1466 |
GSSException gsse = new GSSException(GSSException.UNAVAILABLE, -1, |
929c829a8400
8043071: Expose session key and KRB_CRED through extended GSS-API
weijun
parents:
24969
diff
changeset
|
1467 |
"KRB_CRED not generated correctly."); |
929c829a8400
8043071: Expose session key and KRB_CRED through extended GSS-API
weijun
parents:
24969
diff
changeset
|
1468 |
gsse.initCause(e); |
929c829a8400
8043071: Expose session key and KRB_CRED through extended GSS-API
weijun
parents:
24969
diff
changeset
|
1469 |
throw gsse; |
929c829a8400
8043071: Expose session key and KRB_CRED through extended GSS-API
weijun
parents:
24969
diff
changeset
|
1470 |
} |
3482
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2942
diff
changeset
|
1471 |
} |
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2942
diff
changeset
|
1472 |
throw new GSSException(GSSException.UNAVAILABLE, -1, |
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2942
diff
changeset
|
1473 |
"Inquire type not supported."); |
4aaa66ce712d
6710360: export Kerberos session key to applications
weijun
parents:
2942
diff
changeset
|
1474 |
} |
3483
a16fce1820ef
6821190: more InquireType values for ExtendedGSSContext
weijun
parents:
3482
diff
changeset
|
1475 |
|
a16fce1820ef
6821190: more InquireType values for ExtendedGSSContext
weijun
parents:
3482
diff
changeset
|
1476 |
// Helpers for inquireSecContext |
a16fce1820ef
6821190: more InquireType values for ExtendedGSSContext
weijun
parents:
3482
diff
changeset
|
1477 |
private boolean[] tktFlags; |
a16fce1820ef
6821190: more InquireType values for ExtendedGSSContext
weijun
parents:
3482
diff
changeset
|
1478 |
private String authTime; |
26629
3b9ed8175488
8042900: Allow com.sun.security.jgss to be in different module than org.ietf.jgss
weijun
parents:
25859
diff
changeset
|
1479 |
private AuthorizationData authzData; |
3483
a16fce1820ef
6821190: more InquireType values for ExtendedGSSContext
weijun
parents:
3482
diff
changeset
|
1480 |
|
a16fce1820ef
6821190: more InquireType values for ExtendedGSSContext
weijun
parents:
3482
diff
changeset
|
1481 |
public void setTktFlags(boolean[] tktFlags) { |
a16fce1820ef
6821190: more InquireType values for ExtendedGSSContext
weijun
parents:
3482
diff
changeset
|
1482 |
this.tktFlags = tktFlags; |
a16fce1820ef
6821190: more InquireType values for ExtendedGSSContext
weijun
parents:
3482
diff
changeset
|
1483 |
} |
a16fce1820ef
6821190: more InquireType values for ExtendedGSSContext
weijun
parents:
3482
diff
changeset
|
1484 |
|
a16fce1820ef
6821190: more InquireType values for ExtendedGSSContext
weijun
parents:
3482
diff
changeset
|
1485 |
public void setAuthTime(String authTime) { |
a16fce1820ef
6821190: more InquireType values for ExtendedGSSContext
weijun
parents:
3482
diff
changeset
|
1486 |
this.authTime = authTime; |
a16fce1820ef
6821190: more InquireType values for ExtendedGSSContext
weijun
parents:
3482
diff
changeset
|
1487 |
} |
a16fce1820ef
6821190: more InquireType values for ExtendedGSSContext
weijun
parents:
3482
diff
changeset
|
1488 |
|
26629
3b9ed8175488
8042900: Allow com.sun.security.jgss to be in different module than org.ietf.jgss
weijun
parents:
25859
diff
changeset
|
1489 |
public void setAuthzData(AuthorizationData authzData) { |
3483
a16fce1820ef
6821190: more InquireType values for ExtendedGSSContext
weijun
parents:
3482
diff
changeset
|
1490 |
this.authzData = authzData; |
a16fce1820ef
6821190: more InquireType values for ExtendedGSSContext
weijun
parents:
3482
diff
changeset
|
1491 |
} |
25661
929c829a8400
8043071: Expose session key and KRB_CRED through extended GSS-API
weijun
parents:
24969
diff
changeset
|
1492 |
|
2 | 1493 |
} |