33 |
33 |
34 import sun.security.krb5.internal.*; |
34 import sun.security.krb5.internal.*; |
35 import sun.security.krb5.internal.crypto.EType; |
35 import sun.security.krb5.internal.crypto.EType; |
36 import sun.security.krb5.internal.crypto.Nonce; |
36 import sun.security.krb5.internal.crypto.Nonce; |
37 import sun.security.krb5.internal.crypto.KeyUsage; |
37 import sun.security.krb5.internal.crypto.KeyUsage; |
|
38 import sun.security.util.*; |
38 import java.io.IOException; |
39 import java.io.IOException; |
|
40 import java.io.ByteArrayInputStream; |
39 import java.net.UnknownHostException; |
41 import java.net.UnknownHostException; |
40 import java.util.Arrays; |
42 import java.util.StringTokenizer; |
41 |
43 |
42 /** |
44 /** |
43 * This class encapsulates the KRB-AS-REQ message that the client |
45 * This class encapsulates the KRB-AS-REQ message that the client |
44 * sends to the KDC. |
46 * sends to the KDC. |
45 */ |
47 */ |
60 // default is address-less tickets |
62 // default is address-less tickets |
61 private boolean KDC_EMPTY_ADDRESSES_ALLOWED = true; |
63 private boolean KDC_EMPTY_ADDRESSES_ALLOWED = true; |
62 |
64 |
63 /** |
65 /** |
64 * Creates a KRB-AS-REQ to send to the default KDC |
66 * Creates a KRB-AS-REQ to send to the default KDC |
65 * @param eTypes not null when using a keytab, this can make sure the etypes |
|
66 * in AS-REQ contains only those available on client |
|
67 * @throws KrbException |
67 * @throws KrbException |
68 * @throws IOException |
68 * @throws IOException |
69 */ |
69 */ |
70 // Called by Credentials |
70 // Called by Credentials |
71 KrbAsReq(PrincipalName principal, EncryptionKey[] keys, int[] eTypes) |
71 KrbAsReq(PrincipalName principal, EncryptionKey[] keys) |
72 throws KrbException, IOException { |
72 throws KrbException, IOException { |
73 this(keys, // for pre-authentication |
73 this(keys, // for pre-authentication |
74 false, 0, null, null, // pre-auth values |
74 false, 0, null, null, // pre-auth values |
75 defaultKDCOptions, |
75 defaultKDCOptions, |
76 principal, |
76 principal, |
77 null, // PrincipalName sname |
77 null, // PrincipalName sname |
78 null, // KerberosTime from |
78 null, // KerberosTime from |
79 null, // KerberosTime till |
79 null, // KerberosTime till |
80 null, // KerberosTime rtime |
80 null, // KerberosTime rtime |
81 eTypes, // int[] eTypes |
81 null, // int[] eTypes |
82 null, // HostAddresses addresses |
82 null, // HostAddresses addresses |
83 null); // Ticket[] additionalTickets |
83 null); // Ticket[] additionalTickets |
84 } |
84 } |
85 |
85 |
86 /** |
86 /** |
87 * Creates a KRB-AS-REQ to send to the default KDC |
87 * Creates a KRB-AS-REQ to send to the default KDC |
88 * with pre-authentication values |
88 * with pre-authentication values |
89 * @param eTypes not null when using a keytab, this can make sure the etypes |
|
90 * in AS-REQ contains only those available on client |
|
91 */ |
89 */ |
92 KrbAsReq(PrincipalName principal, EncryptionKey[] keys, int[] eTypes, |
90 KrbAsReq(PrincipalName principal, EncryptionKey[] keys, |
93 boolean pa_exists, int etype, String salt, byte[] s2kparams) |
91 boolean pa_exists, int etype, String salt, byte[] s2kparams) |
94 throws KrbException, IOException { |
92 throws KrbException, IOException { |
95 this(keys, // for pre-authentication |
93 this(keys, // for pre-authentication |
96 pa_exists, etype, salt, s2kparams, // pre-auth values |
94 pa_exists, etype, salt, s2kparams, // pre-auth values |
97 defaultKDCOptions, |
95 defaultKDCOptions, |
98 principal, |
96 principal, |
99 null, // PrincipalName sname |
97 null, // PrincipalName sname |
100 null, // KerberosTime from |
98 null, // KerberosTime from |
101 null, // KerberosTime till |
99 null, // KerberosTime till |
102 null, // KerberosTime rtime |
100 null, // KerberosTime rtime |
103 eTypes, // int[] eTypes |
101 null, // int[] eTypes |
104 null, // HostAddresses addresses |
102 null, // HostAddresses addresses |
105 null); // Ticket[] additionalTickets |
103 null); // Ticket[] additionalTickets |
106 } |
104 } |
107 |
105 |
108 private static int[] getETypesFromKeys(EncryptionKey[] keys) { |
106 private static int[] getETypesFromKeys(EncryptionKey[] keys) { |
342 } else { |
340 } else { |
343 if (rtime != null) rtime = null; |
341 if (rtime != null) rtime = null; |
344 } |
342 } |
345 |
343 |
346 princName = cname; |
344 princName = cname; |
347 |
345 int[] tktETypes = EType.getDefaults("default_tkt_enctypes", keys); |
348 // keys might contain many etypes, or only one if in preauth mode, |
|
349 // coz EncryptionKey.acquireSecretKeys() with pa returns only one key. |
|
350 |
|
351 PAData[] paData = null; |
346 PAData[] paData = null; |
352 if (PA_ENC_TIMESTAMP_REQUIRED) { |
347 if (PA_ENC_TIMESTAMP_REQUIRED) { |
353 EncryptionKey key = null; |
348 EncryptionKey key = null; |
354 if (pa_etype != EncryptedData.ETYPE_NULL) { |
349 if (pa_etype != EncryptedData.ETYPE_NULL) { |
355 if (DEBUG) { |
350 if (DEBUG) { |
356 System.out.println("Pre-Authenticaton: " + |
351 System.out.println("Pre-Authenticaton: find key for etype = " + pa_etype); |
357 "find key for etype = " + pa_etype); |
|
358 } |
352 } |
359 key = EncryptionKey.findKey(pa_etype, keys); |
353 key = EncryptionKey.findKey(pa_etype, keys); |
360 } else { |
354 } else { |
361 int[] availableETypes = |
355 if (tktETypes.length > 0) { |
362 EType.getDefaults("default_tkt_enctypes", keys); |
356 key = EncryptionKey.findKey(tktETypes[0], keys); |
363 if (availableETypes.length > 0) { |
|
364 key = EncryptionKey.findKey(availableETypes[0], keys); |
|
365 } |
357 } |
366 } |
358 } |
367 if (DEBUG) { |
359 if (DEBUG) { |
368 System.out.println("AS-REQ: Add PA_ENC_TIMESTAMP now"); |
360 System.out.println("AS-REQ: Add PA_ENC_TIMESTAMP now"); |
369 } |
361 } |