| author | weijun |
| Fri, 17 Jul 2015 19:40:25 +0800 | |
| changeset 31800 | 450f972e0488 |
| parent 30905 | bba6fefdd660 |
| child 35302 | e4d2275861c3 |
| permissions | -rw-r--r-- |
|
30905
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
1 |
/* |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
2 |
* Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved. |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
4 |
* |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
7 |
* published by the Free Software Foundation. Oracle designates this |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
8 |
* particular file as subject to the "Classpath" exception as provided |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
9 |
* by Oracle in the LICENSE file that accompanied this code. |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
10 |
* |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
15 |
* accompanied this code). |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
16 |
* |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
17 |
* You should have received a copy of the GNU General Public License version |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
20 |
* |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
22 |
* or visit www.oracle.com if you need additional information or have any |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
23 |
* questions. |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
24 |
*/ |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
25 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
26 |
package sun.security.krb5.internal.ssl; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
27 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
28 |
import sun.security.ssl.ClientKeyExchange; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
29 |
import sun.security.ssl.Debug; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
30 |
import sun.security.ssl.ClientKeyExchangeService; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
31 |
import sun.security.ssl.HandshakeOutStream; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
32 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
33 |
import sun.security.jgss.GSSCaller; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
34 |
import sun.security.jgss.krb5.Krb5Util; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
35 |
import sun.security.jgss.krb5.ServiceCreds; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
36 |
import sun.security.krb5.EncryptedData; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
37 |
import sun.security.krb5.EncryptionKey; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
38 |
import sun.security.krb5.KrbException; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
39 |
import sun.security.krb5.PrincipalName; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
40 |
import sun.security.krb5.internal.EncTicketPart; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
41 |
import sun.security.krb5.internal.Ticket; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
42 |
import sun.security.krb5.internal.crypto.KeyUsage; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
43 |
import sun.security.ssl.ProtocolVersion; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
44 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
45 |
import javax.crypto.SecretKey; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
46 |
import javax.crypto.spec.SecretKeySpec; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
47 |
import javax.security.auth.Subject; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
48 |
import javax.security.auth.kerberos.KerberosKey; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
49 |
import javax.security.auth.kerberos.KerberosPrincipal; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
50 |
import javax.security.auth.kerberos.KerberosTicket; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
51 |
import javax.security.auth.kerberos.KeyTab; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
52 |
import javax.security.auth.kerberos.ServicePermission; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
53 |
import java.io.IOException; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
54 |
import java.io.PrintStream; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
55 |
import java.net.InetAddress; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
56 |
import java.security.AccessControlContext; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
57 |
import java.security.AccessController; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
58 |
import java.security.Principal; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
59 |
import java.security.PrivilegedAction; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
60 |
import java.security.PrivilegedActionException; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
61 |
import java.security.PrivilegedExceptionAction; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
62 |
import java.security.SecureRandom; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
63 |
import java.util.Set; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
64 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
65 |
/** |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
66 |
* The provider for TLS_KRB_ cipher suites. |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
67 |
* |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
68 |
* @since 1.9 |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
69 |
*/ |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
70 |
public class Krb5KeyExchangeService implements ClientKeyExchangeService {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
71 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
72 |
public static final Debug debug = Debug.getInstance("ssl");
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
73 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
74 |
@Override |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
75 |
public String[] supported() {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
76 |
return new String[] { "KRB5", "KRB5_EXPORT" };
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
77 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
78 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
79 |
@Override |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
80 |
public Object getServiceCreds(AccessControlContext acc) {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
81 |
try {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
82 |
ServiceCreds serviceCreds = AccessController.doPrivileged( |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
83 |
(PrivilegedExceptionAction<ServiceCreds>) |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
84 |
() -> Krb5Util.getServiceCreds( |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
85 |
GSSCaller.CALLER_SSL_SERVER, null, acc)); |
|
31800
450f972e0488
8131735: closed/sun/security/ssl/SSLSessionImpl/RemovedPrivateKey.java is failing
weijun
parents:
30905
diff
changeset
|
86 |
if (serviceCreds == null) {
|
|
450f972e0488
8131735: closed/sun/security/ssl/SSLSessionImpl/RemovedPrivateKey.java is failing
weijun
parents:
30905
diff
changeset
|
87 |
if (debug != null && Debug.isOn("handshake")) {
|
|
450f972e0488
8131735: closed/sun/security/ssl/SSLSessionImpl/RemovedPrivateKey.java is failing
weijun
parents:
30905
diff
changeset
|
88 |
System.out.println("Kerberos serviceCreds not available");
|
|
450f972e0488
8131735: closed/sun/security/ssl/SSLSessionImpl/RemovedPrivateKey.java is failing
weijun
parents:
30905
diff
changeset
|
89 |
} |
|
450f972e0488
8131735: closed/sun/security/ssl/SSLSessionImpl/RemovedPrivateKey.java is failing
weijun
parents:
30905
diff
changeset
|
90 |
return null; |
|
450f972e0488
8131735: closed/sun/security/ssl/SSLSessionImpl/RemovedPrivateKey.java is failing
weijun
parents:
30905
diff
changeset
|
91 |
} |
|
30905
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
92 |
if (debug != null && Debug.isOn("handshake")) {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
93 |
System.out.println("Using Kerberos creds");
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
94 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
95 |
String serverPrincipal = serviceCreds.getName(); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
96 |
if (serverPrincipal != null) {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
97 |
// When service is bound, we check ASAP. Otherwise, |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
98 |
// will check after client request is received |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
99 |
// in in Kerberos ClientKeyExchange |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
100 |
SecurityManager sm = System.getSecurityManager(); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
101 |
try {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
102 |
if (sm != null) {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
103 |
// Eliminate dependency on ServicePermission |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
104 |
sm.checkPermission(new ServicePermission( |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
105 |
serverPrincipal, "accept"), acc); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
106 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
107 |
} catch (SecurityException se) {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
108 |
if (debug != null && Debug.isOn("handshake")) {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
109 |
System.out.println("Permission to access Kerberos"
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
110 |
+ " secret key denied"); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
111 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
112 |
return null; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
113 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
114 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
115 |
return serviceCreds; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
116 |
} catch (PrivilegedActionException e) {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
117 |
// Likely exception here is LoginException |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
118 |
if (debug != null && Debug.isOn("handshake")) {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
119 |
System.out.println("Attempt to obtain Kerberos key failed: "
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
120 |
+ e.toString()); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
121 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
122 |
return null; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
123 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
124 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
125 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
126 |
@Override |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
127 |
public String getServiceHostName(Principal principal) {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
128 |
if (principal == null) {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
129 |
return null; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
130 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
131 |
String hostName = null; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
132 |
try {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
133 |
PrincipalName princName = |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
134 |
new PrincipalName(principal.getName(), |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
135 |
PrincipalName.KRB_NT_SRV_HST); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
136 |
String[] nameParts = princName.getNameStrings(); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
137 |
if (nameParts.length >= 2) {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
138 |
hostName = nameParts[1]; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
139 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
140 |
} catch (Exception e) {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
141 |
// ignore |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
142 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
143 |
return hostName; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
144 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
145 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
146 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
147 |
@Override |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
148 |
public boolean isRelated(boolean isClient, |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
149 |
AccessControlContext acc, Principal p) {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
150 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
151 |
if (p == null) return false; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
152 |
try {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
153 |
Subject subject = AccessController.doPrivileged( |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
154 |
(PrivilegedExceptionAction<Subject>) |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
155 |
() -> Krb5Util.getSubject( |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
156 |
isClient ? GSSCaller.CALLER_SSL_CLIENT |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
157 |
: GSSCaller.CALLER_SSL_SERVER, |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
158 |
acc)); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
159 |
if (subject == null) {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
160 |
if (debug != null && Debug.isOn("session")) {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
161 |
System.out.println("Kerberos credentials are" +
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
162 |
" not present in the current Subject;" + |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
163 |
" check if " + |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
164 |
" javax.security.auth.useSubjectAsCreds" + |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
165 |
" system property has been set to false"); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
166 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
167 |
return false; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
168 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
169 |
Set<Principal> principals = |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
170 |
subject.getPrincipals(Principal.class); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
171 |
if (principals.contains(p)) {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
172 |
// bound to this principal |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
173 |
return true; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
174 |
} else {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
175 |
if (isClient) {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
176 |
return false; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
177 |
} else {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
178 |
for (KeyTab pc : subject.getPrivateCredentials(KeyTab.class)) {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
179 |
if (!pc.isBound()) {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
180 |
return true; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
181 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
182 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
183 |
return false; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
184 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
185 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
186 |
} catch (PrivilegedActionException pae) {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
187 |
if (debug != null && Debug.isOn("session")) {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
188 |
System.out.println("Attempt to obtain" +
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
189 |
" subject failed! " + pae); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
190 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
191 |
return false; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
192 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
193 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
194 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
195 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
196 |
public ClientKeyExchange createClientExchange( |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
197 |
String serverName, AccessControlContext acc, |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
198 |
ProtocolVersion protocolVerson, SecureRandom rand) throws IOException {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
199 |
return new ExchangerImpl(serverName, acc, protocolVerson, rand); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
200 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
201 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
202 |
public ClientKeyExchange createServerExchange( |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
203 |
ProtocolVersion protocolVersion, ProtocolVersion clientVersion, |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
204 |
SecureRandom rand, byte[] encodedTicket, byte[] encrypted, |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
205 |
AccessControlContext acc, Object serviceCreds) throws IOException {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
206 |
return new ExchangerImpl(protocolVersion, clientVersion, rand, |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
207 |
encodedTicket, encrypted, acc, serviceCreds); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
208 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
209 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
210 |
static class ExchangerImpl extends ClientKeyExchange {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
211 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
212 |
final private KerberosPreMasterSecret preMaster; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
213 |
final private byte[] encodedTicket; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
214 |
final private KerberosPrincipal peerPrincipal; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
215 |
final private KerberosPrincipal localPrincipal; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
216 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
217 |
@Override |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
218 |
public int messageLength() {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
219 |
return encodedTicket.length + preMaster.getEncrypted().length + 6; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
220 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
221 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
222 |
@Override |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
223 |
public void send(HandshakeOutStream s) throws IOException {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
224 |
s.putBytes16(encodedTicket); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
225 |
s.putBytes16(null); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
226 |
s.putBytes16(preMaster.getEncrypted()); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
227 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
228 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
229 |
@Override |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
230 |
public void print(PrintStream s) throws IOException {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
231 |
s.println("*** ClientKeyExchange, Kerberos");
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
232 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
233 |
if (debug != null && Debug.isOn("verbose")) {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
234 |
Debug.println(s, "Kerberos service ticket", encodedTicket); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
235 |
Debug.println(s, "Random Secret", preMaster.getUnencrypted()); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
236 |
Debug.println(s, "Encrypted random Secret", preMaster.getEncrypted()); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
237 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
238 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
239 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
240 |
ExchangerImpl(String serverName, AccessControlContext acc, |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
241 |
ProtocolVersion protocolVersion, SecureRandom rand) throws IOException {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
242 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
243 |
// Get service ticket |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
244 |
KerberosTicket ticket = getServiceTicket(serverName, acc); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
245 |
encodedTicket = ticket.getEncoded(); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
246 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
247 |
// Record the Kerberos principals |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
248 |
peerPrincipal = ticket.getServer(); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
249 |
localPrincipal = ticket.getClient(); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
250 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
251 |
// Optional authenticator, encrypted using session key, |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
252 |
// currently ignored |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
253 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
254 |
// Generate premaster secret and encrypt it using session key |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
255 |
EncryptionKey sessionKey = new EncryptionKey( |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
256 |
ticket.getSessionKeyType(), |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
257 |
ticket.getSessionKey().getEncoded()); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
258 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
259 |
preMaster = new KerberosPreMasterSecret(protocolVersion, |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
260 |
rand, sessionKey); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
261 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
262 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
263 |
ExchangerImpl( |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
264 |
ProtocolVersion protocolVersion, ProtocolVersion clientVersion, SecureRandom rand, |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
265 |
byte[] encodedTicket, byte[] encrypted, |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
266 |
AccessControlContext acc, Object serviceCreds) throws IOException {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
267 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
268 |
// Read ticket |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
269 |
this.encodedTicket = encodedTicket; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
270 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
271 |
if (debug != null && Debug.isOn("verbose")) {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
272 |
Debug.println(System.out, |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
273 |
"encoded Kerberos service ticket", encodedTicket); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
274 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
275 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
276 |
EncryptionKey sessionKey = null; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
277 |
KerberosPrincipal tmpPeer = null; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
278 |
KerberosPrincipal tmpLocal = null; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
279 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
280 |
try {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
281 |
Ticket t = new Ticket(encodedTicket); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
282 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
283 |
EncryptedData encPart = t.encPart; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
284 |
PrincipalName ticketSname = t.sname; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
285 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
286 |
final ServiceCreds creds = (ServiceCreds)serviceCreds; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
287 |
final KerberosPrincipal princ = |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
288 |
new KerberosPrincipal(ticketSname.toString()); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
289 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
290 |
// For bound service, permission already checked at setup |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
291 |
if (creds.getName() == null) {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
292 |
SecurityManager sm = System.getSecurityManager(); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
293 |
try {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
294 |
if (sm != null) {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
295 |
// Eliminate dependency on ServicePermission |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
296 |
sm.checkPermission(new ServicePermission( |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
297 |
ticketSname.toString(), "accept"), acc); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
298 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
299 |
} catch (SecurityException se) {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
300 |
serviceCreds = null; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
301 |
// Do not destroy keys. Will affect Subject |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
302 |
if (debug != null && Debug.isOn("handshake")) {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
303 |
System.out.println("Permission to access Kerberos"
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
304 |
+ " secret key denied"); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
305 |
se.printStackTrace(System.out); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
306 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
307 |
throw new IOException("Kerberos service not allowedy");
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
308 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
309 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
310 |
KerberosKey[] serverKeys = AccessController.doPrivileged( |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
311 |
new PrivilegedAction<KerberosKey[]>() {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
312 |
@Override |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
313 |
public KerberosKey[] run() {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
314 |
return creds.getKKeys(princ); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
315 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
316 |
}); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
317 |
if (serverKeys.length == 0) {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
318 |
throw new IOException("Found no key for " + princ +
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
319 |
(creds.getName() == null ? "" : |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
320 |
(", this keytab is for " + creds.getName() + " only")));
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
321 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
322 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
323 |
/* |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
324 |
* permission to access and use the secret key of the Kerberized |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
325 |
* "host" service is done in ServerHandshaker.getKerberosKeys() |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
326 |
* to ensure server has the permission to use the secret key |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
327 |
* before promising the client |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
328 |
*/ |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
329 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
330 |
// See if we have the right key to decrypt the ticket to get |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
331 |
// the session key. |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
332 |
int encPartKeyType = encPart.getEType(); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
333 |
Integer encPartKeyVersion = encPart.getKeyVersionNumber(); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
334 |
KerberosKey dkey = null; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
335 |
try {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
336 |
dkey = findKey(encPartKeyType, encPartKeyVersion, serverKeys); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
337 |
} catch (KrbException ke) { // a kvno mismatch
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
338 |
throw new IOException( |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
339 |
"Cannot find key matching version number", ke); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
340 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
341 |
if (dkey == null) {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
342 |
// %%% Should print string repr of etype |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
343 |
throw new IOException("Cannot find key of appropriate type" +
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
344 |
" to decrypt ticket - need etype " + encPartKeyType); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
345 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
346 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
347 |
EncryptionKey secretKey = new EncryptionKey( |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
348 |
encPartKeyType, |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
349 |
dkey.getEncoded()); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
350 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
351 |
// Decrypt encPart using server's secret key |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
352 |
byte[] bytes = encPart.decrypt(secretKey, KeyUsage.KU_TICKET); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
353 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
354 |
// Reset data stream after decryption, remove redundant bytes |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
355 |
byte[] temp = encPart.reset(bytes); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
356 |
EncTicketPart encTicketPart = new EncTicketPart(temp); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
357 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
358 |
// Record the Kerberos Principals |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
359 |
tmpPeer = new KerberosPrincipal(encTicketPart.cname.getName()); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
360 |
tmpLocal = new KerberosPrincipal(ticketSname.getName()); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
361 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
362 |
sessionKey = encTicketPart.key; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
363 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
364 |
if (debug != null && Debug.isOn("handshake")) {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
365 |
System.out.println("server principal: " + ticketSname);
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
366 |
System.out.println("cname: " + encTicketPart.cname.toString());
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
367 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
368 |
} catch (IOException e) {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
369 |
throw e; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
370 |
} catch (Exception e) {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
371 |
if (debug != null && Debug.isOn("handshake")) {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
372 |
System.out.println("KerberosWrapper error getting session key,"
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
373 |
+ " generating random secret (" + e.getMessage() + ")");
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
374 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
375 |
sessionKey = null; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
376 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
377 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
378 |
//input.getBytes16(); // XXX Read and ignore authenticator |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
379 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
380 |
if (sessionKey != null) {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
381 |
preMaster = new KerberosPreMasterSecret(protocolVersion, |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
382 |
clientVersion, rand, encrypted, sessionKey); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
383 |
} else {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
384 |
// Generate bogus premaster secret |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
385 |
preMaster = new KerberosPreMasterSecret(clientVersion, rand); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
386 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
387 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
388 |
peerPrincipal = tmpPeer; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
389 |
localPrincipal = tmpLocal; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
390 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
391 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
392 |
// Similar to sun.security.jgss.krb5.Krb5InitCredenetial/Krb5Context |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
393 |
private static KerberosTicket getServiceTicket(String serverName, |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
394 |
final AccessControlContext acc) throws IOException {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
395 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
396 |
if ("localhost".equals(serverName) ||
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
397 |
"localhost.localdomain".equals(serverName)) {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
398 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
399 |
if (debug != null && Debug.isOn("handshake")) {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
400 |
System.out.println("Get the local hostname");
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
401 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
402 |
String localHost = java.security.AccessController.doPrivileged( |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
403 |
new java.security.PrivilegedAction<String>() {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
404 |
public String run() {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
405 |
try {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
406 |
return InetAddress.getLocalHost().getHostName(); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
407 |
} catch (java.net.UnknownHostException e) {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
408 |
if (debug != null && Debug.isOn("handshake")) {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
409 |
System.out.println("Warning,"
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
410 |
+ " cannot get the local hostname: " |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
411 |
+ e.getMessage()); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
412 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
413 |
return null; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
414 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
415 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
416 |
}); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
417 |
if (localHost != null) {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
418 |
serverName = localHost; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
419 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
420 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
421 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
422 |
// Resolve serverName (possibly in IP addr form) to Kerberos principal |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
423 |
// name for service with hostname |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
424 |
String serviceName = "host/" + serverName; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
425 |
PrincipalName principal; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
426 |
try {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
427 |
principal = new PrincipalName(serviceName, |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
428 |
PrincipalName.KRB_NT_SRV_HST); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
429 |
} catch (SecurityException se) {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
430 |
throw se; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
431 |
} catch (Exception e) {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
432 |
IOException ioe = new IOException("Invalid service principal" +
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
433 |
" name: " + serviceName); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
434 |
ioe.initCause(e); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
435 |
throw ioe; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
436 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
437 |
String realm = principal.getRealmAsString(); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
438 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
439 |
final String serverPrincipal = principal.toString(); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
440 |
final String tgsPrincipal = "krbtgt/" + realm + "@" + realm; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
441 |
final String clientPrincipal = null; // use default |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
442 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
443 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
444 |
// check permission to obtain a service ticket to initiate a |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
445 |
// context with the "host" service |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
446 |
SecurityManager sm = System.getSecurityManager(); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
447 |
if (sm != null) {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
448 |
sm.checkPermission(new ServicePermission(serverPrincipal, |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
449 |
"initiate"), acc); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
450 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
451 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
452 |
try {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
453 |
KerberosTicket ticket = AccessController.doPrivileged( |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
454 |
new PrivilegedExceptionAction<KerberosTicket>() {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
455 |
public KerberosTicket run() throws Exception {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
456 |
return Krb5Util.getTicketFromSubjectAndTgs( |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
457 |
GSSCaller.CALLER_SSL_CLIENT, |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
458 |
clientPrincipal, serverPrincipal, |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
459 |
tgsPrincipal, acc); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
460 |
}}); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
461 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
462 |
if (ticket == null) {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
463 |
throw new IOException("Failed to find any kerberos service" +
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
464 |
" ticket for " + serverPrincipal); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
465 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
466 |
return ticket; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
467 |
} catch (PrivilegedActionException e) {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
468 |
IOException ioe = new IOException( |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
469 |
"Attempt to obtain kerberos service ticket for " + |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
470 |
serverPrincipal + " failed!"); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
471 |
ioe.initCause(e); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
472 |
throw ioe; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
473 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
474 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
475 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
476 |
@Override |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
477 |
public SecretKey clientKeyExchange() {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
478 |
byte[] secretBytes = preMaster.getUnencrypted(); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
479 |
return new SecretKeySpec(secretBytes, "TlsPremasterSecret"); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
480 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
481 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
482 |
@Override |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
483 |
public Principal getPeerPrincipal() {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
484 |
return peerPrincipal; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
485 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
486 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
487 |
@Override |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
488 |
public Principal getLocalPrincipal() {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
489 |
return localPrincipal; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
490 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
491 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
492 |
/** |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
493 |
* Determines if a kvno matches another kvno. Used in the method |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
494 |
* findKey(etype, version, keys). Always returns true if either input |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
495 |
* is null or zero, in case any side does not have kvno info available. |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
496 |
* |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
497 |
* Note: zero is included because N/A is not a legal value for kvno |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
498 |
* in javax.security.auth.kerberos.KerberosKey. Therefore, the info |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
499 |
* that the kvno is N/A might be lost when converting between |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
500 |
* EncryptionKey and KerberosKey. |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
501 |
*/ |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
502 |
private static boolean versionMatches(Integer v1, int v2) {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
503 |
if (v1 == null || v1 == 0 || v2 == 0) {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
504 |
return true; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
505 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
506 |
return v1.equals(v2); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
507 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
508 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
509 |
private static KerberosKey findKey(int etype, Integer version, |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
510 |
KerberosKey[] keys) throws KrbException {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
511 |
int ktype; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
512 |
boolean etypeFound = false; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
513 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
514 |
// When no matched kvno is found, returns tke key of the same |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
515 |
// etype with the highest kvno |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
516 |
int kvno_found = 0; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
517 |
KerberosKey key_found = null; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
518 |
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
519 |
for (int i = 0; i < keys.length; i++) {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
520 |
ktype = keys[i].getKeyType(); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
521 |
if (etype == ktype) {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
522 |
int kv = keys[i].getVersionNumber(); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
523 |
etypeFound = true; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
524 |
if (versionMatches(version, kv)) {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
525 |
return keys[i]; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
526 |
} else if (kv > kvno_found) {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
527 |
key_found = keys[i]; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
528 |
kvno_found = kv; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
529 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
530 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
531 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
532 |
// Key not found. |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
533 |
// %%% kludge to allow DES keys to be used for diff etypes |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
534 |
if ((etype == EncryptedData.ETYPE_DES_CBC_CRC || |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
535 |
etype == EncryptedData.ETYPE_DES_CBC_MD5)) {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
536 |
for (int i = 0; i < keys.length; i++) {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
537 |
ktype = keys[i].getKeyType(); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
538 |
if (ktype == EncryptedData.ETYPE_DES_CBC_CRC || |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
539 |
ktype == EncryptedData.ETYPE_DES_CBC_MD5) {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
540 |
int kv = keys[i].getVersionNumber(); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
541 |
etypeFound = true; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
542 |
if (versionMatches(version, kv)) {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
543 |
return new KerberosKey(keys[i].getPrincipal(), |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
544 |
keys[i].getEncoded(), |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
545 |
etype, |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
546 |
kv); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
547 |
} else if (kv > kvno_found) {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
548 |
key_found = new KerberosKey(keys[i].getPrincipal(), |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
549 |
keys[i].getEncoded(), |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
550 |
etype, |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
551 |
kv); |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
552 |
kvno_found = kv; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
553 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
554 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
555 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
556 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
557 |
if (etypeFound) {
|
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
558 |
return key_found; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
559 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
560 |
return null; |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
561 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
562 |
} |
|
bba6fefdd660
8038089: TLS optional support for Kerberos cipher suites needs to be re-examine
weijun
parents:
diff
changeset
|
563 |
} |