jdk-sandbox: comparison test/jdk/sun/security/krb5/auto/KDC.java

equal deleted inserted replaced

-:13588c901957
+:9cf78a70fa4f
 // different s2kparams for different etypes, pretend they are the same
 // at the moment.
 private TreeMap<String,byte[]> s2kparamses = new TreeMap<>
 (String.CASE_INSENSITIVE_ORDER);
+// Alias for referrals.
+private TreeMap<String,KDC> aliasReferrals = new TreeMap<>
+(String.CASE_INSENSITIVE_ORDER);
+// Alias for local resolution.
+private TreeMap<String,PrincipalName> alias2Principals = new TreeMap<>
+(String.CASE_INSENSITIVE_ORDER);
 // Realm name
 private String realm;
 // KDC
 private String kdc;
 // Service port number
 */
 public int getPort() {
 return port;
 }
+/**
+* Register an alias name to be referred to a different KDC for
+* resolution, according to RFC 6806.
+* @param alias Alias name (i.e. user@REALM.COM).
+* @param referredKDC KDC to which the alias is referred for resolution.
+*/
+public void registerAlias(String alias, KDC referredKDC) {
+aliasReferrals.remove(alias);
+aliasReferrals.put(alias, referredKDC);
+}
+/**
+* Register an alias to be resolved to a Principal Name locally,
+* according to RFC 6806.
+* @param alias Alias name (i.e. user@REALM.COM).
+* @param user Principal Name to which the alias is resolved.
+*/
+public void registerAlias(String alias, String user)
+throws RealmException {
+alias2Principals.remove(alias);
+alias2Principals.put(alias, new PrincipalName(user));
+}
 // Private helper methods
 /**
 * Private constructor, cannot be called outside.
 * @param realm
 Ticket tkt = null;
 EncTicketPart etp = null;
 PrincipalName cname = null;
 boolean allowForwardable = true;
+boolean isReferral = false;
+if (body.kdcOptions.get(KDCOptions.CANONICALIZE)) {
+System.out.println(realm + "> verifying referral for " +
+body.sname.getNameString());
+KDC referral = aliasReferrals.get(body.sname.getNameString());
+if (referral != null) {
+service = new PrincipalName(
+PrincipalName.TGS_DEFAULT_SRV_NAME +
+PrincipalName.NAME_COMPONENT_SEPARATOR_STR +
+referral.getRealm(), PrincipalName.KRB_NT_SRV_INST,
+this.getRealm());
+System.out.println(realm + "> referral to " +
+referral.getRealm());
+isReferral = true;
+}
+}
 if (pas == null || pas.length == 0) {
 throw new KrbException(Krb5.KDC_ERR_PADATA_TYPE_NOSUPP);
 } else {
 PrincipalName forUserCName = null;
 bFlags[Krb5.TKT_OPTS_POSTDATED] = true;
 }
 if (body.kdcOptions.get(KDCOptions.ALLOW_POSTDATE)) {
 bFlags[Krb5.TKT_OPTS_MAY_POSTDATE] = true;
 }
-if (body.kdcOptions.get(KDCOptions.CNAME_IN_ADDL_TKT)) {
+if (body.kdcOptions.get(KDCOptions.CNAME_IN_ADDL_TKT) &&
+!isReferral) {
 if (!options.containsKey(Option.ALLOW_S4U2PROXY)) {
 // Don't understand CNAME_IN_ADDL_TKT
 throw new KrbException(Krb5.KDC_ERR_BADOPTION);
 } else {
 Map<String,List<String>> map = (Map<String,List<String>>)
 tFlags,
 timeAfter(0),
 from,
 till, renewTill,
 service,
-body.addresses
+body.addresses,
+null
 );
 EncryptedData edata = new EncryptedData(ckey, enc_part.asn1Encode(),
 KeyUsage.KU_ENC_TGS_REP_PART_SESSKEY);
 TGSRep tgsRep = new TGSRep(null,
 cname,
 * @return the response
 * @throws java.lang.Exception for various errors
 */
 protected byte[] processAsReq(byte[] in) throws Exception {
 ASReq asReq = new ASReq(in);
+byte[] asReqbytes = asReq.asn1Encode();
 int[] eTypes = null;
 List<PAData> outPAs = new ArrayList<>();
 PrincipalName service = asReq.reqBody.sname;
 if (options.containsKey(KDC.Option.RESP_NT)) {
 eTypes = filterSupported(KDCReqBodyDotEType(body));
 if (eTypes.length == 0) {
 throw new KrbException(Krb5.KDC_ERR_ETYPE_NOSUPP);
 }
 int eType = eTypes[0];
+if (body.kdcOptions.get(KDCOptions.CANONICALIZE)) {
+PrincipalName principal = alias2Principals.get(
+body.cname.getNameString());
+if (principal != null) {
+body.cname = principal;
+} else {
+KDC referral = aliasReferrals.get(body.cname.getNameString());
+if (referral != null) {
+body.cname = new PrincipalName(
+PrincipalName.TGS_DEFAULT_SRV_NAME,
+PrincipalName.KRB_NT_SRV_INST,
+referral.getRealm());
+throw new KrbException(Krb5.KRB_ERR_WRONG_REALM);
+}
+}
+}
 EncryptionKey ckey = keyForUser(body.cname, eType, false);
 EncryptionKey skey = keyForUser(service, eType, true);
 if (options.containsKey(KDC.Option.ONLY_RC4_TGT)) {
 eid.putSequence(pas);
 outPAs.add(new PAData(Krb5.PA_ETYPE_INFO, eid.toByteArray()));
 }
 PAData[] inPAs = KDCReqDotPAData(asReq);
-if (inPAs == null || inPAs.length == 0) {
+List<PAData> enc_outPAs = new ArrayList<>();
+byte[] paEncTimestamp = null;
+if (inPAs != null) {
+for (PAData inPA : inPAs) {
+if (inPA.getType() == Krb5.PA_ENC_TIMESTAMP) {
+paEncTimestamp = inPA.getValue();
+}
+}
+}
+if (paEncTimestamp == null) {
 Object preauth = options.get(Option.PREAUTH_REQUIRED);
 if (preauth == null || preauth.equals(Boolean.TRUE)) {
 throw new KrbException(Krb5.KDC_ERR_PREAUTH_REQUIRED);
 }
 } else {
+EncryptionKey pakey = null;
 try {
 EncryptedData data = newEncryptedData(
-new DerValue(inPAs[0].getValue()));
+new DerValue(paEncTimestamp));
-EncryptionKey pakey
+pakey = keyForUser(body.cname, data.getEType(), false);
-= keyForUser(body.cname, data.getEType(), false);
 data.decrypt(pakey, KeyUsage.KU_PA_ENC_TS);
 } catch (Exception e) {
 KrbException ke = new KrbException(Krb5.KDC_ERR_PREAUTH_FAILED);
 ke.initCause(e);
 throw ke;
 }
 bFlags[Krb5.TKT_OPTS_PRE_AUTHENT] = true;
+for (PAData pa : inPAs) {
+if (pa.getType() == Krb5.PA_REQ_ENC_PA_REP) {
+Checksum ckSum = new Checksum(
+Checksum.CKSUMTYPE_HMAC_SHA1_96_AES128,
+asReqbytes, ckey, KeyUsage.KU_AS_REQ);
+enc_outPAs.add(new PAData(Krb5.PA_REQ_ENC_PA_REP,
+ckSum.asn1Encode()));
+bFlags[Krb5.TKT_OPTS_ENC_PA_REP] = true;
+break;
+}
+}
 }
 TicketFlags tFlags = new TicketFlags(bFlags);
 EncTicketPart enc = new EncTicketPart(
 tFlags,
 tFlags,
 timeAfter(0),
 from,
 till, rtime,
 service,
-body.addresses
+body.addresses,
+enc_outPAs.toArray(new PAData[enc_outPAs.size()])
 );
 EncryptedData edata = new EncryptedData(ckey, enc_part.asn1Encode(),
 KeyUsage.KU_ENC_AS_REP_PART);
 ASRep asRep = new ASRep(
 outPAs.toArray(new PAData[outPAs.size()]),
 + " " +ke.returnCodeMessage());
 byte[] eData = null;
 if (kerr == null) {
 if (ke.returnCode() == Krb5.KDC_ERR_PREAUTH_REQUIRED ||
 ke.returnCode() == Krb5.KDC_ERR_PREAUTH_FAILED) {
+outPAs.add(new PAData(Krb5.PA_ENC_TIMESTAMP, new byte[0]));
+}
+if (outPAs.size() > 0) {
 DerOutputStream bytes = new DerOutputStream();
-bytes.write(new PAData(Krb5.PA_ENC_TIMESTAMP, new byte[0]).asn1Encode());
 for (PAData p: outPAs) {
 bytes.write(p.asn1Encode());
 }
 DerOutputStream temp = new DerOutputStream();
 temp.write(DerValue.tag_Sequence, bytes);

branch	datagramsocketimpl-branch
changeset 58678	9cf78a70fa4f
parent 53273	bbc79e0ec9ee
child 58679	9c3209ff7550