116 if (dkey == null) { |
116 if (dkey == null) { |
117 throw new KrbException(Krb5.API_INVALID_ARG, |
117 throw new KrbException(Krb5.API_INVALID_ARG, |
118 "Cannot find key for type/kvno to decrypt AS REP - " + |
118 "Cannot find key for type/kvno to decrypt AS REP - " + |
119 EType.toString(encPartKeyType) + "/" + encPartKvno); |
119 EType.toString(encPartKeyType) + "/" + encPartKvno); |
120 } |
120 } |
121 decrypt(dkey, asReq); |
121 decrypt(dkey, asReq, cname); |
122 } |
122 } |
123 |
123 |
124 /** |
124 /** |
125 * Called by KrbAsReqBuilder to resolve a AS-REP message using a password. |
125 * Called by KrbAsReqBuilder to resolve a AS-REP message using a password. |
126 * @param password user provided password. not null |
126 * @param password user provided password. not null |
134 EncryptionKey dkey = EncryptionKey.acquireSecretKey( |
134 EncryptionKey dkey = EncryptionKey.acquireSecretKey( |
135 cname, |
135 cname, |
136 password, |
136 password, |
137 encPartKeyType, |
137 encPartKeyType, |
138 PAData.getSaltAndParams(encPartKeyType, rep.pAData)); |
138 PAData.getSaltAndParams(encPartKeyType, rep.pAData)); |
139 decrypt(dkey, asReq); |
139 decrypt(dkey, asReq, cname); |
140 } |
140 } |
141 |
141 |
142 /** |
142 /** |
143 * Decrypts encrypted content inside AS-REP. Called by initiator. |
143 * Decrypts encrypted content inside AS-REP. Called by initiator. |
144 * @param dkey the decryption key to use |
144 * @param dkey the decryption key to use |
145 * @param asReq the original AS-REQ sent, used to validate AS-REP |
145 * @param asReq the original AS-REQ sent, used to validate AS-REP |
146 */ |
146 */ |
147 private void decrypt(EncryptionKey dkey, KrbAsReq asReq) |
147 private void decrypt(EncryptionKey dkey, KrbAsReq asReq, |
|
148 PrincipalName cname) |
148 throws KrbException, Asn1Exception, IOException { |
149 throws KrbException, Asn1Exception, IOException { |
149 byte[] enc_as_rep_bytes = rep.encPart.decrypt(dkey, |
150 byte[] enc_as_rep_bytes = rep.encPart.decrypt(dkey, |
150 KeyUsage.KU_ENC_AS_REP_PART); |
151 KeyUsage.KU_ENC_AS_REP_PART); |
151 byte[] enc_as_rep_part = rep.encPart.reset(enc_as_rep_bytes); |
152 byte[] enc_as_rep_part = rep.encPart.reset(enc_as_rep_bytes); |
152 |
153 |
155 rep.encKDCRepPart = enc_part; |
156 rep.encKDCRepPart = enc_part; |
156 |
157 |
157 ASReq req = asReq.getMessage(); |
158 ASReq req = asReq.getMessage(); |
158 check(true, req, rep, dkey); |
159 check(true, req, rep, dkey); |
159 |
160 |
|
161 PrincipalName clientAlias = cname; |
|
162 if (clientAlias.equals(rep.cname)) |
|
163 clientAlias = null; |
|
164 |
160 creds = new Credentials( |
165 creds = new Credentials( |
161 rep.ticket, |
166 rep.ticket, |
162 rep.cname, |
167 rep.cname, |
|
168 clientAlias, |
163 enc_part.sname, |
169 enc_part.sname, |
|
170 null, // No server alias expected in a TGT |
164 enc_part.key, |
171 enc_part.key, |
165 enc_part.flags, |
172 enc_part.flags, |
166 enc_part.authtime, |
173 enc_part.authtime, |
167 enc_part.starttime, |
174 enc_part.starttime, |
168 enc_part.endtime, |
175 enc_part.endtime, |