jdk-sandbox: src/java.security.jgss/share/classes/sun/security/krb5/KrbAsReqBuilder.java@9c3209ff7550 (annotated)

7183 d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	1	/*
55258 d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	2	* Copyright (c) 2010, 2019, Oracle and/or its affiliates. All rights reserved.
7183 d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	3	* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	4	*
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	5	* This code is free software; you can redistribute it and/or modify it
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	6	* under the terms of the GNU General Public License version 2 only, as
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	7	* published by the Free Software Foundation. Oracle designates this
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	8	* particular file as subject to the "Classpath" exception as provided
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	9	* by Oracle in the LICENSE file that accompanied this code.
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	10	*
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	11	* This code is distributed in the hope that it will be useful, but WITHOUT
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	12	* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	13	* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	14	* version 2 for more details (a copy is included in the LICENSE file that
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	15	* accompanied this code).
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	16	*
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	17	* You should have received a copy of the GNU General Public License version
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	18	* 2 along with this work; if not, write to the Free Software Foundation,
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	19	* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	20	*
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	21	* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	22	* or visit www.oracle.com if you need additional information or have any
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	23	* questions.
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	24	*/
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	25
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	26	package sun.security.krb5;
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	27
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	28	import java.io.IOException;
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	29	import java.util.Arrays;
9499 f3115698a012 6894072: always refresh keytab weijun parents: 7183 diff changeset	30	import javax.security.auth.kerberos.KeyTab;
f3115698a012 6894072: always refresh keytab weijun parents: 7183 diff changeset	31	import sun.security.jgss.krb5.Krb5Util;
7183 d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	32	import sun.security.krb5.internal.HostAddresses;
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	33	import sun.security.krb5.internal.KDCOptions;
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	34	import sun.security.krb5.internal.KRBError;
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	35	import sun.security.krb5.internal.KerberosTime;
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	36	import sun.security.krb5.internal.Krb5;
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	37	import sun.security.krb5.internal.PAData;
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	38	import sun.security.krb5.internal.crypto.EType;
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	39
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	40	/**
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	41	* A manager class for AS-REQ communications.
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	42	*
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	43	* This class does:
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	44	* 1. Gather information to create AS-REQ
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	45	* 2. Create and send AS-REQ
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	46	* 3. Receive AS-REP and KRB-ERROR (-KRB_ERR_RESPONSE_TOO_BIG) and parse them
9499 f3115698a012 6894072: always refresh keytab weijun parents: 7183 diff changeset	47	* 4. Emit credentials and secret keys (for JAAS storeKey=true with password)
7183 d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	48	*
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	49	* This class does not:
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	50	* 1. Deal with real communications (KdcComm does it, and TGS-REQ)
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	51	* a. Name of KDCs for a realm
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	52	* b. Server availability, timeout, UDP or TCP
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	53	* d. KRB_ERR_RESPONSE_TOO_BIG
9499 f3115698a012 6894072: always refresh keytab weijun parents: 7183 diff changeset	54	* 2. Stores its own copy of password, this means:
f3115698a012 6894072: always refresh keytab weijun parents: 7183 diff changeset	55	* a. Do not change/wipe it before Builder finish
f3115698a012 6894072: always refresh keytab weijun parents: 7183 diff changeset	56	* b. Builder will not wipe it for you
7183 d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	57	*
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	58	* With this class:
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	59	* 1. KrbAsReq has only one constructor
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	60	* 2. Krb5LoginModule and Kinit call a single builder
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	61	* 3. Better handling of sensitive info
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	62	*
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	63	* @since 1.7
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	64	*/
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	65
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	66	public final class KrbAsReqBuilder {
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	67
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	68	// Common data for AS-REQ fields
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	69	private KDCOptions options;
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	70	private PrincipalName cname;
57487 643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55639 diff changeset	71	private PrincipalName refCname; // May be changed by referrals
7183 d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	72	private PrincipalName sname;
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	73	private KerberosTime from;
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	74	private KerberosTime till;
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	75	private KerberosTime rtime;
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	76	private HostAddresses addresses;
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	77
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	78	// Secret source: can't be changed once assigned, only one (of the two
9499 f3115698a012 6894072: always refresh keytab weijun parents: 7183 diff changeset	79	// sources) can be set to non-null
f3115698a012 6894072: always refresh keytab weijun parents: 7183 diff changeset	80	private final char[] password;
f3115698a012 6894072: always refresh keytab weijun parents: 7183 diff changeset	81	private final KeyTab ktab;
7183 d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	82
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	83	// Used to create a ENC-TIMESTAMP in the 2nd AS-REQ
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	84	private PAData[] paList; // PA-DATA from both KRB-ERROR and AS-REP.
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	85	// Used by getKeys() only.
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	86	// Only AS-REP should be enough per RFC,
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	87	// combined in case etypes are different.
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	88
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	89	// The generated and received:
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	90	private KrbAsReq req;
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	91	private KrbAsRep rep;
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	92
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	93	private static enum State {
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	94	INIT, // Initialized, can still add more initialization info
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	95	REQ_OK, // AS-REQ performed
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	96	DESTROYED, // Destroyed, not usable anymore
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	97	}
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	98	private State state;
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	99
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	100	// Called by other constructors
9499 f3115698a012 6894072: always refresh keytab weijun parents: 7183 diff changeset	101	private void init(PrincipalName cname)
7183 d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	102	throws KrbException {
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	103	this.cname = cname;
57487 643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55639 diff changeset	104	this.refCname = cname;
7183 d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	105	state = State.INIT;
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	106	}
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	107
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	108	/**
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	109	* Creates a builder to be used by {@code cname} with existing keys.
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	110	*
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	111	* @param cname the client of the AS-REQ. Must not be null. Might have no
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	112	* realm, where default realm will be used. This realm will be the target
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	113	* realm for AS-REQ. I believe a client should only get initial TGT from
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	114	* its own realm.
32003 acb12269398a 8132130: some docs cleanup avstepan parents: 27946 diff changeset	115	* @param ktab must not be null. If empty, might be quite useless.
7183 d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	116	* This argument will neither be modified nor stored by the method.
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	117	* @throws KrbException
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	118	*/
9499 f3115698a012 6894072: always refresh keytab weijun parents: 7183 diff changeset	119	public KrbAsReqBuilder(PrincipalName cname, KeyTab ktab)
7183 d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	120	throws KrbException {
9499 f3115698a012 6894072: always refresh keytab weijun parents: 7183 diff changeset	121	init(cname);
f3115698a012 6894072: always refresh keytab weijun parents: 7183 diff changeset	122	this.ktab = ktab;
f3115698a012 6894072: always refresh keytab weijun parents: 7183 diff changeset	123	this.password = null;
7183 d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	124	}
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	125
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	126	/**
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	127	* Creates a builder to be used by {@code cname} with a known password.
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	128	*
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	129	* @param cname the client of the AS-REQ. Must not be null. Might have no
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	130	* realm, where default realm will be used. This realm will be the target
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	131	* realm for AS-REQ. I believe a client should only get initial TGT from
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	132	* its own realm.
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	133	* @param pass must not be null. This argument will neither be modified
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	134	* nor stored by the method.
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	135	* @throws KrbException
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	136	*/
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	137	public KrbAsReqBuilder(PrincipalName cname, char[] pass)
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	138	throws KrbException {
9499 f3115698a012 6894072: always refresh keytab weijun parents: 7183 diff changeset	139	init(cname);
7183 d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	140	this.password = pass.clone();
9499 f3115698a012 6894072: always refresh keytab weijun parents: 7183 diff changeset	141	this.ktab = null;
7183 d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	142	}
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	143
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	144	/**
9499 f3115698a012 6894072: always refresh keytab weijun parents: 7183 diff changeset	145	* Retrieves an array of secret keys for the client. This is used when
10695 08c28770f82b 7089889: Krb5LoginModule.login() throws an exception if used without a keytab weijun parents: 10432 diff changeset	146	* the client supplies password but need keys to act as an acceptor. For
08c28770f82b 7089889: Krb5LoginModule.login() throws an exception if used without a keytab weijun parents: 10432 diff changeset	147	* an initiator, it must be called after AS-REQ is performed (state is OK).
08c28770f82b 7089889: Krb5LoginModule.login() throws an exception if used without a keytab weijun parents: 10432 diff changeset	148	* For an acceptor, it can be called when this KrbAsReqBuilder object is
08c28770f82b 7089889: Krb5LoginModule.login() throws an exception if used without a keytab weijun parents: 10432 diff changeset	149	* constructed (state is INIT).
08c28770f82b 7089889: Krb5LoginModule.login() throws an exception if used without a keytab weijun parents: 10432 diff changeset	150	* @param isInitiator if the caller is an initiator
9499 f3115698a012 6894072: always refresh keytab weijun parents: 7183 diff changeset	151	* @return generated keys from password. PA-DATA from server might be used.
f3115698a012 6894072: always refresh keytab weijun parents: 7183 diff changeset	152	* All "default_tkt_enctypes" keys will be generated, Never null.
f3115698a012 6894072: always refresh keytab weijun parents: 7183 diff changeset	153	* @throws IllegalStateException if not constructed from a password
7183 d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	154	* @throws KrbException
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	155	*/
10695 08c28770f82b 7089889: Krb5LoginModule.login() throws an exception if used without a keytab weijun parents: 10432 diff changeset	156	public EncryptionKey[] getKeys(boolean isInitiator) throws KrbException {
08c28770f82b 7089889: Krb5LoginModule.login() throws an exception if used without a keytab weijun parents: 10432 diff changeset	157	checkState(isInitiator?State.REQ_OK:State.INIT, "Cannot get keys");
9499 f3115698a012 6894072: always refresh keytab weijun parents: 7183 diff changeset	158	if (password != null) {
f3115698a012 6894072: always refresh keytab weijun parents: 7183 diff changeset	159	int[] eTypes = EType.getDefaults("default_tkt_enctypes");
7183 d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	160	EncryptionKey[] result = new EncryptionKey[eTypes.length];
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	161
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	162	/*
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	163	* Returns an array of keys. Before KrbAsReqBuilder, all etypes
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	164	* use the same salt which is either the default one or a new salt
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	165	* coming from PA-DATA. After KrbAsReqBuilder, each etype uses its
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	166	* own new salt from PA-DATA. For an etype with no PA-DATA new salt
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	167	* at all, what salt should it use?
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	168	*
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	169	* Commonly, the stored keys are only to be used by an acceptor to
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	170	* decrypt service ticket in AP-REQ. Most impls only allow keys
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	171	* from a keytab on acceptor, but unfortunately (?) Java supports
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	172	* acceptor using password. In this case, if the service ticket is
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	173	* encrypted using an etype which we don't have PA-DATA new salt,
10432 ef33e56c55a9 7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt weijun parents: 9499 diff changeset	174	* using the default salt might be wrong (say, case-insensitive
7183 d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	175	* user name). Instead, we would use the new salt of another etype.
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	176	*/
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	177
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	178	String salt = null; // the saved new salt
10432 ef33e56c55a9 7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt weijun parents: 9499 diff changeset	179	try {
ef33e56c55a9 7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt weijun parents: 9499 diff changeset	180	for (int i=0; i<eTypes.length; i++) {
ef33e56c55a9 7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt weijun parents: 9499 diff changeset	181	// First round, only calculate those have a PA entry
7183 d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	182	PAData.SaltAndParams snp =
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	183	PAData.getSaltAndParams(eTypes[i], paList);
10432 ef33e56c55a9 7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt weijun parents: 9499 diff changeset	184	if (snp != null) {
ef33e56c55a9 7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt weijun parents: 9499 diff changeset	185	// Never uses a salt for rc4-hmac, it does not use
ef33e56c55a9 7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt weijun parents: 9499 diff changeset	186	// a salt at all
ef33e56c55a9 7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt weijun parents: 9499 diff changeset	187	if (eTypes[i] != EncryptedData.ETYPE_ARCFOUR_HMAC &&
ef33e56c55a9 7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt weijun parents: 9499 diff changeset	188	snp.salt != null) {
ef33e56c55a9 7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt weijun parents: 9499 diff changeset	189	salt = snp.salt;
ef33e56c55a9 7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt weijun parents: 9499 diff changeset	190	}
ef33e56c55a9 7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt weijun parents: 9499 diff changeset	191	result[i] = EncryptionKey.acquireSecretKey(cname,
ef33e56c55a9 7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt weijun parents: 9499 diff changeset	192	password,
ef33e56c55a9 7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt weijun parents: 9499 diff changeset	193	eTypes[i],
ef33e56c55a9 7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt weijun parents: 9499 diff changeset	194	snp);
ef33e56c55a9 7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt weijun parents: 9499 diff changeset	195	}
7183 d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	196	}
10432 ef33e56c55a9 7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt weijun parents: 9499 diff changeset	197	// No new salt from PA, maybe empty, maybe only rc4-hmac
ef33e56c55a9 7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt weijun parents: 9499 diff changeset	198	if (salt == null) salt = cname.getSalt();
ef33e56c55a9 7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt weijun parents: 9499 diff changeset	199	for (int i=0; i<eTypes.length; i++) {
ef33e56c55a9 7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt weijun parents: 9499 diff changeset	200	// Second round, calculate those with no PA entry
ef33e56c55a9 7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt weijun parents: 9499 diff changeset	201	if (result[i] == null) {
ef33e56c55a9 7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt weijun parents: 9499 diff changeset	202	result[i] = EncryptionKey.acquireSecretKey(password,
ef33e56c55a9 7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt weijun parents: 9499 diff changeset	203	salt,
ef33e56c55a9 7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt weijun parents: 9499 diff changeset	204	eTypes[i],
ef33e56c55a9 7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt weijun parents: 9499 diff changeset	205	null);
ef33e56c55a9 7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt weijun parents: 9499 diff changeset	206	}
ef33e56c55a9 7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt weijun parents: 9499 diff changeset	207	}
ef33e56c55a9 7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt weijun parents: 9499 diff changeset	208	} catch (IOException ioe) {
ef33e56c55a9 7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt weijun parents: 9499 diff changeset	209	KrbException ke = new KrbException(Krb5.ASN1_PARSE_ERROR);
ef33e56c55a9 7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt weijun parents: 9499 diff changeset	210	ke.initCause(ioe);
ef33e56c55a9 7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt weijun parents: 9499 diff changeset	211	throw ke;
7183 d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	212	}
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	213	return result;
9499 f3115698a012 6894072: always refresh keytab weijun parents: 7183 diff changeset	214	} else {
f3115698a012 6894072: always refresh keytab weijun parents: 7183 diff changeset	215	throw new IllegalStateException("Required password not provided");
7183 d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	216	}
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	217	}
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	218
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	219	/**
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	220	* Sets or clears options. If cleared, default options will be used
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	221	* at creation time.
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	222	* @param options
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	223	*/
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	224	public void setOptions(KDCOptions options) {
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	225	checkState(State.INIT, "Cannot specify options");
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	226	this.options = options;
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	227	}
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	228
27946 9f99b93cbbb2 8044500: Add kinit options and krb5.conf flags that allow users to obtain renewable tickets and specify ticket lifetimes weijun parents: 25859 diff changeset	229	public void setTill(KerberosTime till) {
9f99b93cbbb2 8044500: Add kinit options and krb5.conf flags that allow users to obtain renewable tickets and specify ticket lifetimes weijun parents: 25859 diff changeset	230	checkState(State.INIT, "Cannot specify till");
9f99b93cbbb2 8044500: Add kinit options and krb5.conf flags that allow users to obtain renewable tickets and specify ticket lifetimes weijun parents: 25859 diff changeset	231	this.till = till;
9f99b93cbbb2 8044500: Add kinit options and krb5.conf flags that allow users to obtain renewable tickets and specify ticket lifetimes weijun parents: 25859 diff changeset	232	}
9f99b93cbbb2 8044500: Add kinit options and krb5.conf flags that allow users to obtain renewable tickets and specify ticket lifetimes weijun parents: 25859 diff changeset	233
9f99b93cbbb2 8044500: Add kinit options and krb5.conf flags that allow users to obtain renewable tickets and specify ticket lifetimes weijun parents: 25859 diff changeset	234	public void setRTime(KerberosTime rtime) {
9f99b93cbbb2 8044500: Add kinit options and krb5.conf flags that allow users to obtain renewable tickets and specify ticket lifetimes weijun parents: 25859 diff changeset	235	checkState(State.INIT, "Cannot specify rtime");
9f99b93cbbb2 8044500: Add kinit options and krb5.conf flags that allow users to obtain renewable tickets and specify ticket lifetimes weijun parents: 25859 diff changeset	236	this.rtime = rtime;
9f99b93cbbb2 8044500: Add kinit options and krb5.conf flags that allow users to obtain renewable tickets and specify ticket lifetimes weijun parents: 25859 diff changeset	237	}
9f99b93cbbb2 8044500: Add kinit options and krb5.conf flags that allow users to obtain renewable tickets and specify ticket lifetimes weijun parents: 25859 diff changeset	238
7183 d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	239	/**
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	240	* Sets or clears target. If cleared, KrbAsReq might choose krbtgt
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	241	* for cname realm
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	242	* @param sname
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	243	*/
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	244	public void setTarget(PrincipalName sname) {
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	245	checkState(State.INIT, "Cannot specify target");
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	246	this.sname = sname;
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	247	}
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	248
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	249	/**
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	250	* Adds or clears addresses. KrbAsReq might add some if empty
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	251	* field not allowed
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	252	* @param addresses
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	253	*/
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	254	public void setAddresses(HostAddresses addresses) {
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	255	checkState(State.INIT, "Cannot specify addresses");
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	256	this.addresses = addresses;
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	257	}
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	258
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	259	/**
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	260	* Build a KrbAsReq object from all info fed above. Normally this method
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	261	* will be called twice: initial AS-REQ and second with pakey
9499 f3115698a012 6894072: always refresh keytab weijun parents: 7183 diff changeset	262	* @param key null (initial AS-REQ) or pakey (with preauth)
7183 d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	263	* @return the KrbAsReq object
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	264	* @throws KrbException
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	265	* @throws IOException
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	266	*/
55258 d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	267	private KrbAsReq build(EncryptionKey key, ReferralsState referralsState)
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	268	throws KrbException, IOException {
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	269	PAData[] extraPAs = null;
9499 f3115698a012 6894072: always refresh keytab weijun parents: 7183 diff changeset	270	int[] eTypes;
f3115698a012 6894072: always refresh keytab weijun parents: 7183 diff changeset	271	if (password != null) {
f3115698a012 6894072: always refresh keytab weijun parents: 7183 diff changeset	272	eTypes = EType.getDefaults("default_tkt_enctypes");
f3115698a012 6894072: always refresh keytab weijun parents: 7183 diff changeset	273	} else {
f3115698a012 6894072: always refresh keytab weijun parents: 7183 diff changeset	274	EncryptionKey[] ks = Krb5Util.keysFromJavaxKeyTab(ktab, cname);
f3115698a012 6894072: always refresh keytab weijun parents: 7183 diff changeset	275	eTypes = EType.getDefaults("default_tkt_enctypes",
f3115698a012 6894072: always refresh keytab weijun parents: 7183 diff changeset	276	ks);
f3115698a012 6894072: always refresh keytab weijun parents: 7183 diff changeset	277	for (EncryptionKey k: ks) k.destroy();
f3115698a012 6894072: always refresh keytab weijun parents: 7183 diff changeset	278	}
55258 d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	279	options = (options == null) ? new KDCOptions() : options;
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	280	if (referralsState.isEnabled()) {
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	281	options.set(KDCOptions.CANONICALIZE, true);
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	282	extraPAs = new PAData[]{ new PAData(Krb5.PA_REQ_ENC_PA_REP,
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	283	new byte[]{}) };
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	284	} else {
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	285	options.set(KDCOptions.CANONICALIZE, false);
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	286	}
9499 f3115698a012 6894072: always refresh keytab weijun parents: 7183 diff changeset	287	return new KrbAsReq(key,
7183 d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	288	options,
57487 643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55639 diff changeset	289	refCname,
7183 d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	290	sname,
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	291	from,
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	292	till,
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	293	rtime,
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	294	eTypes,
55258 d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	295	addresses,
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	296	extraPAs);
7183 d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	297	}
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	298
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	299	/**
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	300	* Parses AS-REP, decrypts enc-part, retrieves ticket and session key
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	301	* @throws KrbException
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	302	* @throws Asn1Exception
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	303	* @throws IOException
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	304	*/
9499 f3115698a012 6894072: always refresh keytab weijun parents: 7183 diff changeset	305	private KrbAsReqBuilder resolve()
f3115698a012 6894072: always refresh keytab weijun parents: 7183 diff changeset	306	throws KrbException, Asn1Exception, IOException {
f3115698a012 6894072: always refresh keytab weijun parents: 7183 diff changeset	307	if (ktab != null) {
f3115698a012 6894072: always refresh keytab weijun parents: 7183 diff changeset	308	rep.decryptUsingKeyTab(ktab, req, cname);
7183 d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	309	} else {
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	310	rep.decryptUsingPassword(password, req, cname);
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	311	}
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	312	if (rep.getPA() != null) {
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	313	if (paList == null \|\| paList.length == 0) {
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	314	paList = rep.getPA();
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	315	} else {
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	316	int extraLen = rep.getPA().length;
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	317	if (extraLen > 0) {
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	318	int oldLen = paList.length;
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	319	paList = Arrays.copyOf(paList, paList.length + extraLen);
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	320	System.arraycopy(rep.getPA(), 0, paList, oldLen, extraLen);
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	321	}
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	322	}
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	323	}
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	324	return this;
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	325	}
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	326
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	327	/**
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	328	* Communication until AS-REP or non preauth-related KRB-ERROR received
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	329	* @throws KrbException
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	330	* @throws IOException
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	331	*/
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	332	private KrbAsReqBuilder send() throws KrbException, IOException {
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	333	boolean preAuthFailedOnce = false;
55258 d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	334	KdcComm comm = null;
9499 f3115698a012 6894072: always refresh keytab weijun parents: 7183 diff changeset	335	EncryptionKey pakey = null;
55258 d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	336	ReferralsState referralsState = new ReferralsState();
7183 d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	337	while (true) {
55258 d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	338	if (referralsState.refreshComm()) {
57487 643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55639 diff changeset	339	comm = new KdcComm(refCname.getRealmAsString());
55258 d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	340	}
7183 d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	341	try {
55258 d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	342	req = build(pakey, referralsState);
7183 d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	343	rep = new KrbAsRep(comm.send(req.encoding()));
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	344	return this;
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	345	} catch (KrbException ke) {
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	346	if (!preAuthFailedOnce && (
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	347	ke.returnCode() == Krb5.KDC_ERR_PREAUTH_FAILED \|\|
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	348	ke.returnCode() == Krb5.KDC_ERR_PREAUTH_REQUIRED)) {
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	349	if (Krb5.DEBUG) {
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	350	System.out.println("KrbAsReqBuilder: " +
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	351	"PREAUTH FAILED/REQ, re-send AS-REQ");
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	352	}
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	353	preAuthFailedOnce = true;
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	354	KRBError kerr = ke.getError();
10432 ef33e56c55a9 7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt weijun parents: 9499 diff changeset	355	int paEType = PAData.getPreferredEType(kerr.getPA(),
ef33e56c55a9 7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt weijun parents: 9499 diff changeset	356	EType.getDefaults("default_tkt_enctypes")[0]);
7183 d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	357	if (password == null) {
9499 f3115698a012 6894072: always refresh keytab weijun parents: 7183 diff changeset	358	EncryptionKey[] ks = Krb5Util.keysFromJavaxKeyTab(ktab, cname);
10432 ef33e56c55a9 7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt weijun parents: 9499 diff changeset	359	pakey = EncryptionKey.findKey(paEType, ks);
9499 f3115698a012 6894072: always refresh keytab weijun parents: 7183 diff changeset	360	if (pakey != null) pakey = (EncryptionKey)pakey.clone();
f3115698a012 6894072: always refresh keytab weijun parents: 7183 diff changeset	361	for (EncryptionKey k: ks) k.destroy();
7183 d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	362	} else {
10432 ef33e56c55a9 7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt weijun parents: 9499 diff changeset	363	pakey = EncryptionKey.acquireSecretKey(cname,
ef33e56c55a9 7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt weijun parents: 9499 diff changeset	364	password,
ef33e56c55a9 7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt weijun parents: 9499 diff changeset	365	paEType,
ef33e56c55a9 7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt weijun parents: 9499 diff changeset	366	PAData.getSaltAndParams(
ef33e56c55a9 7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt weijun parents: 9499 diff changeset	367	paEType, kerr.getPA()));
7183 d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	368	}
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	369	paList = kerr.getPA(); // Update current paList
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	370	} else {
55258 d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	371	if (referralsState.handleError(ke)) {
55639 4722e5e28449 8227381: GSS login fails with PREAUTH_FAILED weijun parents: 55258 diff changeset	372	pakey = null;
4722e5e28449 8227381: GSS login fails with PREAUTH_FAILED weijun parents: 55258 diff changeset	373	preAuthFailedOnce = false;
55258 d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	374	continue;
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	375	}
7183 d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	376	throw ke;
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	377	}
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	378	}
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	379	}
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	380	}
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	381
55258 d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	382	private final class ReferralsState {
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	383	private boolean enabled;
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	384	private int count;
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	385	private boolean refreshComm;
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	386
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	387	ReferralsState() throws KrbException {
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	388	if (Config.DISABLE_REFERRALS) {
57487 643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55639 diff changeset	389	if (refCname.getNameType() == PrincipalName.KRB_NT_ENTERPRISE) {
55258 d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	390	throw new KrbException("NT-ENTERPRISE principals only allowed" +
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	391	" when referrals are enabled.");
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	392	}
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	393	enabled = false;
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	394	} else {
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	395	enabled = true;
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	396	}
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	397	refreshComm = true;
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	398	}
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	399
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	400	boolean handleError(KrbException ke) throws RealmException {
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	401	if (enabled) {
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	402	if (ke.returnCode() == Krb5.KRB_ERR_WRONG_REALM) {
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	403	Realm referredRealm = ke.getError().getClientRealm();
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	404	if (req.getMessage().reqBody.kdcOptions.get(KDCOptions.CANONICALIZE) &&
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	405	referredRealm != null && referredRealm.toString().length() > 0 &&
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	406	count < Config.MAX_REFERRALS) {
57487 643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55639 diff changeset	407	refCname = new PrincipalName(refCname.getNameType(),
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55639 diff changeset	408	refCname.getNameStrings(), referredRealm);
55258 d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	409	refreshComm = true;
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	410	count++;
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	411	return true;
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	412	}
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	413	}
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	414	if (count < Config.MAX_REFERRALS &&
57487 643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55639 diff changeset	415	refCname.getNameType() != PrincipalName.KRB_NT_ENTERPRISE) {
55258 d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	416	// Server may raise an error if CANONICALIZE is true.
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	417	// Try CANONICALIZE false.
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	418	enabled = false;
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	419	return true;
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	420	}
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	421	}
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	422	return false;
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	423	}
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	424
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	425	boolean refreshComm() {
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	426	boolean retRefreshComm = refreshComm;
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	427	refreshComm = false;
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	428	return retRefreshComm;
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	429	}
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	430
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	431	boolean isEnabled() {
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	432	return enabled;
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	433	}
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	434	}
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: 47216 diff changeset	435
7183 d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	436	/**
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	437	* Performs AS-REQ send and AS-REP receive.
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	438	* Maybe a state is needed here, to divide prepare process and getCreds.
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	439	* @throws KrbException
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	440	* @throws Asn1Exception
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	441	* @throws IOException
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	442	*/
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	443	public KrbAsReqBuilder action()
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	444	throws KrbException, Asn1Exception, IOException {
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	445	checkState(State.INIT, "Cannot call action");
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	446	state = State.REQ_OK;
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	447	return send().resolve();
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	448	}
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	449
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	450	/**
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	451	* Gets Credentials object after action
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	452	*/
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	453	public Credentials getCreds() {
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	454	checkState(State.REQ_OK, "Cannot retrieve creds");
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	455	return rep.getCreds();
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	456	}
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	457
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	458	/**
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	459	* Gets another type of Credentials after action
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	460	*/
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	461	public sun.security.krb5.internal.ccache.Credentials getCCreds() {
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	462	checkState(State.REQ_OK, "Cannot retrieve CCreds");
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	463	return rep.getCCreds();
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	464	}
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	465
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	466	/**
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	467	* Destroys the object and clears keys and password info.
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	468	*/
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	469	public void destroy() {
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	470	state = State.DESTROYED;
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	471	if (password != null) {
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	472	Arrays.fill(password, (char)0);
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	473	}
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	474	}
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	475
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	476	/**
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	477	* Checks if the current state is the specified one.
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	478	* @param st the expected state
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	479	* @param msg error message if state is not correct
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	480	* @throws IllegalStateException if state is not correct
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	481	*/
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	482	private void checkState(State st, String msg) {
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	483	if (state != st) {
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	484	throw new IllegalStateException(msg + " at " + st + " state");
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	485	}
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	486	}
d8ccc1c73358 6960894: Better AS-REQ creation and processing weijun parents: diff changeset	487	}

author	chegar
	Thu, 17 Oct 2019 20:54:25 +0100
branch	datagramsocketimpl-branch
changeset 58679	9c3209ff7550
parent 58678	9cf78a70fa4f
parent 57487	643978a35f6e
permissions	-rw-r--r--