|
1 /* |
|
2 * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved. |
|
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
|
4 * |
|
5 * This code is free software; you can redistribute it and/or modify it |
|
6 * under the terms of the GNU General Public License version 2 only, as |
|
7 * published by the Free Software Foundation. Oracle designates this |
|
8 * particular file as subject to the "Classpath" exception as provided |
|
9 * by Oracle in the LICENSE file that accompanied this code. |
|
10 * |
|
11 * This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 * version 2 for more details (a copy is included in the LICENSE file that |
|
15 * accompanied this code). |
|
16 * |
|
17 * You should have received a copy of the GNU General Public License version |
|
18 * 2 along with this work; if not, write to the Free Software Foundation, |
|
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 * |
|
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
|
22 * or visit www.oracle.com if you need additional information or have any |
|
23 * questions. |
|
24 */ |
|
25 |
|
26 package sun.security.jgss.krb5; |
|
27 |
|
28 import org.ietf.jgss.*; |
|
29 import sun.security.jgss.GSSCaller; |
|
30 import sun.security.jgss.spi.*; |
|
31 import sun.security.krb5.*; |
|
32 import javax.security.auth.kerberos.KerberosTicket; |
|
33 import javax.security.auth.kerberos.KerberosPrincipal; |
|
34 import java.net.InetAddress; |
|
35 import java.io.IOException; |
|
36 import java.util.Date; |
|
37 import java.security.AccessController; |
|
38 import java.security.AccessControlContext; |
|
39 import java.security.PrivilegedExceptionAction; |
|
40 import java.security.PrivilegedActionException; |
|
41 |
|
42 /** |
|
43 * Implements the krb5 initiator credential element. |
|
44 * |
|
45 * @author Mayank Upadhyay |
|
46 * @author Ram Marti |
|
47 * @since 1.4 |
|
48 */ |
|
49 |
|
50 public class Krb5InitCredential |
|
51 extends KerberosTicket |
|
52 implements Krb5CredElement { |
|
53 |
|
54 private static final long serialVersionUID = 7723415700837898232L; |
|
55 |
|
56 private Krb5NameElement name; |
|
57 private Credentials krb5Credentials; |
|
58 |
|
59 private Krb5InitCredential(Krb5NameElement name, |
|
60 byte[] asn1Encoding, |
|
61 KerberosPrincipal client, |
|
62 KerberosPrincipal server, |
|
63 byte[] sessionKey, |
|
64 int keyType, |
|
65 boolean[] flags, |
|
66 Date authTime, |
|
67 Date startTime, |
|
68 Date endTime, |
|
69 Date renewTill, |
|
70 InetAddress[] clientAddresses) |
|
71 throws GSSException { |
|
72 super(asn1Encoding, |
|
73 client, |
|
74 server, |
|
75 sessionKey, |
|
76 keyType, |
|
77 flags, |
|
78 authTime, |
|
79 startTime, |
|
80 endTime, |
|
81 renewTill, |
|
82 clientAddresses); |
|
83 |
|
84 this.name = name; |
|
85 |
|
86 try { |
|
87 // Cache this for later use by the sun.security.krb5 package. |
|
88 krb5Credentials = new Credentials(asn1Encoding, |
|
89 client.getName(), |
|
90 server.getName(), |
|
91 sessionKey, |
|
92 keyType, |
|
93 flags, |
|
94 authTime, |
|
95 startTime, |
|
96 endTime, |
|
97 renewTill, |
|
98 clientAddresses); |
|
99 } catch (KrbException e) { |
|
100 throw new GSSException(GSSException.NO_CRED, -1, |
|
101 e.getMessage()); |
|
102 } catch (IOException e) { |
|
103 throw new GSSException(GSSException.NO_CRED, -1, |
|
104 e.getMessage()); |
|
105 } |
|
106 |
|
107 } |
|
108 |
|
109 private Krb5InitCredential(Krb5NameElement name, |
|
110 Credentials delegatedCred, |
|
111 byte[] asn1Encoding, |
|
112 KerberosPrincipal client, |
|
113 KerberosPrincipal server, |
|
114 byte[] sessionKey, |
|
115 int keyType, |
|
116 boolean[] flags, |
|
117 Date authTime, |
|
118 Date startTime, |
|
119 Date endTime, |
|
120 Date renewTill, |
|
121 InetAddress[] clientAddresses) |
|
122 throws GSSException { |
|
123 super(asn1Encoding, |
|
124 client, |
|
125 server, |
|
126 sessionKey, |
|
127 keyType, |
|
128 flags, |
|
129 authTime, |
|
130 startTime, |
|
131 endTime, |
|
132 renewTill, |
|
133 clientAddresses); |
|
134 |
|
135 this.name = name; |
|
136 // A delegated cred does not have all fields set. So do not try to |
|
137 // creat new Credentials out of the delegatedCred. |
|
138 this.krb5Credentials = delegatedCred; |
|
139 } |
|
140 |
|
141 static Krb5InitCredential getInstance(GSSCaller caller, Krb5NameElement name, |
|
142 int initLifetime) |
|
143 throws GSSException { |
|
144 |
|
145 KerberosTicket tgt = getTgt(caller, name, initLifetime); |
|
146 if (tgt == null) |
|
147 throw new GSSException(GSSException.NO_CRED, -1, |
|
148 "Failed to find any Kerberos tgt"); |
|
149 |
|
150 if (name == null) { |
|
151 String fullName = tgt.getClient().getName(); |
|
152 name = Krb5NameElement.getInstance(fullName, |
|
153 Krb5MechFactory.NT_GSS_KRB5_PRINCIPAL); |
|
154 } |
|
155 |
|
156 return new Krb5InitCredential(name, |
|
157 tgt.getEncoded(), |
|
158 tgt.getClient(), |
|
159 tgt.getServer(), |
|
160 tgt.getSessionKey().getEncoded(), |
|
161 tgt.getSessionKeyType(), |
|
162 tgt.getFlags(), |
|
163 tgt.getAuthTime(), |
|
164 tgt.getStartTime(), |
|
165 tgt.getEndTime(), |
|
166 tgt.getRenewTill(), |
|
167 tgt.getClientAddresses()); |
|
168 } |
|
169 |
|
170 static Krb5InitCredential getInstance(Krb5NameElement name, |
|
171 Credentials delegatedCred) |
|
172 throws GSSException { |
|
173 |
|
174 EncryptionKey sessionKey = delegatedCred.getSessionKey(); |
|
175 |
|
176 /* |
|
177 * all of the following data is optional in a KRB-CRED |
|
178 * messages. This check for each field. |
|
179 */ |
|
180 |
|
181 PrincipalName cPrinc = delegatedCred.getClient(); |
|
182 PrincipalName sPrinc = delegatedCred.getServer(); |
|
183 |
|
184 KerberosPrincipal client = null; |
|
185 KerberosPrincipal server = null; |
|
186 |
|
187 Krb5NameElement credName = null; |
|
188 |
|
189 if (cPrinc != null) { |
|
190 String fullName = cPrinc.getName(); |
|
191 credName = Krb5NameElement.getInstance(fullName, |
|
192 Krb5MechFactory.NT_GSS_KRB5_PRINCIPAL); |
|
193 client = new KerberosPrincipal(fullName); |
|
194 } |
|
195 |
|
196 // XXX Compare name to credName |
|
197 |
|
198 if (sPrinc != null) { |
|
199 server = |
|
200 new KerberosPrincipal(sPrinc.getName(), |
|
201 KerberosPrincipal.KRB_NT_SRV_INST); |
|
202 } |
|
203 |
|
204 return new Krb5InitCredential(credName, |
|
205 delegatedCred, |
|
206 delegatedCred.getEncoded(), |
|
207 client, |
|
208 server, |
|
209 sessionKey.getBytes(), |
|
210 sessionKey.getEType(), |
|
211 delegatedCred.getFlags(), |
|
212 delegatedCred.getAuthTime(), |
|
213 delegatedCred.getStartTime(), |
|
214 delegatedCred.getEndTime(), |
|
215 delegatedCred.getRenewTill(), |
|
216 delegatedCred.getClientAddresses()); |
|
217 } |
|
218 |
|
219 /** |
|
220 * Returns the principal name for this credential. The name |
|
221 * is in mechanism specific format. |
|
222 * |
|
223 * @return GSSNameSpi representing principal name of this credential |
|
224 * @exception GSSException may be thrown |
|
225 */ |
|
226 public final GSSNameSpi getName() throws GSSException { |
|
227 return name; |
|
228 } |
|
229 |
|
230 /** |
|
231 * Returns the init lifetime remaining. |
|
232 * |
|
233 * @return the init lifetime remaining in seconds |
|
234 * @exception GSSException may be thrown |
|
235 */ |
|
236 public int getInitLifetime() throws GSSException { |
|
237 int retVal = 0; |
|
238 Date d = getEndTime(); |
|
239 if (d == null) { |
|
240 return 0; |
|
241 } |
|
242 retVal = (int)(d.getTime() - (new Date().getTime())); |
|
243 |
|
244 return retVal/1000; |
|
245 } |
|
246 |
|
247 /** |
|
248 * Returns the accept lifetime remaining. |
|
249 * |
|
250 * @return the accept lifetime remaining in seconds |
|
251 * @exception GSSException may be thrown |
|
252 */ |
|
253 public int getAcceptLifetime() throws GSSException { |
|
254 return 0; |
|
255 } |
|
256 |
|
257 public boolean isInitiatorCredential() throws GSSException { |
|
258 return true; |
|
259 } |
|
260 |
|
261 public boolean isAcceptorCredential() throws GSSException { |
|
262 return false; |
|
263 } |
|
264 |
|
265 /** |
|
266 * Returns the oid representing the underlying credential |
|
267 * mechanism oid. |
|
268 * |
|
269 * @return the Oid for this credential mechanism |
|
270 * @exception GSSException may be thrown |
|
271 */ |
|
272 public final Oid getMechanism() { |
|
273 return Krb5MechFactory.GSS_KRB5_MECH_OID; |
|
274 } |
|
275 |
|
276 public final java.security.Provider getProvider() { |
|
277 return Krb5MechFactory.PROVIDER; |
|
278 } |
|
279 |
|
280 |
|
281 /** |
|
282 * Returns a sun.security.krb5.Credentials instance so that it maybe |
|
283 * used in that package for th Kerberos protocol. |
|
284 */ |
|
285 Credentials getKrb5Credentials() { |
|
286 return krb5Credentials; |
|
287 } |
|
288 |
|
289 /* |
|
290 * XXX Call to this.refresh() should refresh the locally cached copy |
|
291 * of krb5Credentials also. |
|
292 */ |
|
293 |
|
294 /** |
|
295 * Called to invalidate this credential element. |
|
296 */ |
|
297 public void dispose() throws GSSException { |
|
298 try { |
|
299 destroy(); |
|
300 } catch (javax.security.auth.DestroyFailedException e) { |
|
301 GSSException gssException = |
|
302 new GSSException(GSSException.FAILURE, -1, |
|
303 "Could not destroy credentials - " + e.getMessage()); |
|
304 gssException.initCause(e); |
|
305 } |
|
306 } |
|
307 |
|
308 // XXX call to this.destroy() should destroy the locally cached copy |
|
309 // of krb5Credentials and then call super.destroy(). |
|
310 |
|
311 private static KerberosTicket getTgt(GSSCaller caller, Krb5NameElement name, |
|
312 int initLifetime) |
|
313 throws GSSException { |
|
314 |
|
315 final String clientPrincipal; |
|
316 |
|
317 /* |
|
318 * Find the TGT for the realm that the client is in. If the client |
|
319 * name is not available, then use the default realm. |
|
320 */ |
|
321 if (name != null) { |
|
322 clientPrincipal = (name.getKrb5PrincipalName()).getName(); |
|
323 } else { |
|
324 clientPrincipal = null; |
|
325 } |
|
326 |
|
327 final AccessControlContext acc = AccessController.getContext(); |
|
328 |
|
329 try { |
|
330 final GSSCaller realCaller = (caller == GSSCaller.CALLER_UNKNOWN) |
|
331 ? GSSCaller.CALLER_INITIATE |
|
332 : caller; |
|
333 return AccessController.doPrivileged( |
|
334 new PrivilegedExceptionAction<KerberosTicket>() { |
|
335 public KerberosTicket run() throws Exception { |
|
336 // It's OK to use null as serverPrincipal. TGT is almost |
|
337 // the first ticket for a principal and we use list. |
|
338 return Krb5Util.getTicket( |
|
339 realCaller, |
|
340 clientPrincipal, null, acc); |
|
341 }}); |
|
342 } catch (PrivilegedActionException e) { |
|
343 GSSException ge = |
|
344 new GSSException(GSSException.NO_CRED, -1, |
|
345 "Attempt to obtain new INITIATE credentials failed!" + |
|
346 " (" + e.getMessage() + ")"); |
|
347 ge.initCause(e.getException()); |
|
348 throw ge; |
|
349 } |
|
350 } |
|
351 |
|
352 @Override |
|
353 public GSSCredentialSpi impersonate(GSSNameSpi name) throws GSSException { |
|
354 try { |
|
355 Krb5NameElement kname = (Krb5NameElement)name; |
|
356 Credentials newCred = Credentials.acquireS4U2selfCreds( |
|
357 kname.getKrb5PrincipalName(), krb5Credentials); |
|
358 return new Krb5ProxyCredential(this, kname, newCred.getTicket()); |
|
359 } catch (IOException | KrbException ke) { |
|
360 GSSException ge = |
|
361 new GSSException(GSSException.FAILURE, -1, |
|
362 "Attempt to obtain S4U2self credentials failed!"); |
|
363 ge.initCause(ke); |
|
364 throw ge; |
|
365 } |
|
366 } |
|
367 } |