|
2
|
1 |
/*
|
|
|
2 |
* Portions Copyright 2000-2007 Sun Microsystems, Inc. All Rights Reserved.
|
|
|
3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
|
4 |
*
|
|
|
5 |
* This code is free software; you can redistribute it and/or modify it
|
|
|
6 |
* under the terms of the GNU General Public License version 2 only, as
|
|
|
7 |
* published by the Free Software Foundation. Sun designates this
|
|
|
8 |
* particular file as subject to the "Classpath" exception as provided
|
|
|
9 |
* by Sun in the LICENSE file that accompanied this code.
|
|
|
10 |
*
|
|
|
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT
|
|
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
|
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that
|
|
|
15 |
* accompanied this code).
|
|
|
16 |
*
|
|
|
17 |
* You should have received a copy of the GNU General Public License version
|
|
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation,
|
|
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
|
20 |
*
|
|
|
21 |
* Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
|
|
|
22 |
* CA 95054 USA or visit www.sun.com if you need additional information or
|
|
|
23 |
* have any questions.
|
|
|
24 |
*/
|
|
|
25 |
|
|
|
26 |
/*
|
|
|
27 |
*
|
|
|
28 |
* (C) Copyright IBM Corp. 1999 All Rights Reserved.
|
|
|
29 |
* Copyright 1997 The Open Group Research Institute. All rights reserved.
|
|
|
30 |
*/
|
|
|
31 |
|
|
|
32 |
package sun.security.krb5;
|
|
|
33 |
|
|
|
34 |
import sun.security.krb5.internal.*;
|
|
|
35 |
import sun.security.krb5.internal.crypto.*;
|
|
|
36 |
import sun.security.krb5.internal.rcache.*;
|
|
|
37 |
import java.net.InetAddress;
|
|
|
38 |
import sun.security.util.*;
|
|
|
39 |
import java.io.IOException;
|
|
|
40 |
|
|
|
41 |
/**
|
|
|
42 |
* This class encapsulates a KRB-AP-REQ that a client sends to a
|
|
|
43 |
* server for authentication.
|
|
|
44 |
*/
|
|
|
45 |
public class KrbApReq {
|
|
|
46 |
|
|
|
47 |
private byte[] obuf;
|
|
|
48 |
private KerberosTime ctime;
|
|
|
49 |
private int cusec;
|
|
|
50 |
private Authenticator authenticator;
|
|
|
51 |
private Credentials creds;
|
|
|
52 |
private APReq apReqMessg;
|
|
|
53 |
|
|
|
54 |
private static CacheTable table = new CacheTable();
|
|
|
55 |
private static boolean DEBUG = Krb5.DEBUG;
|
|
|
56 |
|
|
|
57 |
// default is address-less tickets
|
|
|
58 |
private boolean KDC_EMPTY_ADDRESSES_ALLOWED = true;
|
|
|
59 |
|
|
|
60 |
/**
|
|
|
61 |
* Contructs a AP-REQ message to send to the peer.
|
|
|
62 |
* @param tgsCred the <code>Credentials</code> to be used to construct the
|
|
|
63 |
* AP Request protocol message.
|
|
|
64 |
* @param mutualRequired Whether mutual authentication is required
|
|
|
65 |
* @param useSubkey Whether the subkey is to be used to protect this
|
|
|
66 |
* specific application session. If this is not set then the
|
|
|
67 |
* session key from the ticket will be used.
|
|
|
68 |
* @throws KrbException for any Kerberos protocol specific error
|
|
|
69 |
* @throws IOException for any IO related errors
|
|
|
70 |
* (e.g. socket operations)
|
|
|
71 |
*/
|
|
|
72 |
/*
|
|
|
73 |
// Not Used
|
|
|
74 |
public KrbApReq(Credentials tgsCred,
|
|
|
75 |
boolean mutualRequired,
|
|
|
76 |
boolean useSubKey,
|
|
|
77 |
boolean useSeqNumber) throws Asn1Exception,
|
|
|
78 |
KrbCryptoException, KrbException, IOException {
|
|
|
79 |
|
|
|
80 |
this(tgsCred, mutualRequired, useSubKey, useSeqNumber, null);
|
|
|
81 |
}
|
|
|
82 |
*/
|
|
|
83 |
|
|
|
84 |
/**
|
|
|
85 |
* Contructs a AP-REQ message to send to the peer.
|
|
|
86 |
* @param tgsCred the <code>Credentials</code> to be used to construct the
|
|
|
87 |
* AP Request protocol message.
|
|
|
88 |
* @param mutualRequired Whether mutual authentication is required
|
|
|
89 |
* @param useSubkey Whether the subkey is to be used to protect this
|
|
|
90 |
* specific application session. If this is not set then the
|
|
|
91 |
* session key from the ticket will be used.
|
|
|
92 |
* @param checksum checksum of the the application data that accompanies
|
|
|
93 |
* the KRB_AP_REQ.
|
|
|
94 |
* @throws KrbException for any Kerberos protocol specific error
|
|
|
95 |
* @throws IOException for any IO related errors
|
|
|
96 |
* (e.g. socket operations)
|
|
|
97 |
*/
|
|
|
98 |
// Used in InitSecContextToken
|
|
|
99 |
public KrbApReq(Credentials tgsCred,
|
|
|
100 |
boolean mutualRequired,
|
|
|
101 |
boolean useSubKey,
|
|
|
102 |
boolean useSeqNumber,
|
|
|
103 |
Checksum cksum) throws Asn1Exception,
|
|
|
104 |
KrbCryptoException, KrbException, IOException {
|
|
|
105 |
|
|
|
106 |
APOptions apOptions = (mutualRequired?
|
|
|
107 |
new APOptions(Krb5.AP_OPTS_MUTUAL_REQUIRED):
|
|
|
108 |
new APOptions());
|
|
|
109 |
if (DEBUG)
|
|
|
110 |
System.out.println(">>> KrbApReq: APOptions are " + apOptions);
|
|
|
111 |
|
|
|
112 |
EncryptionKey subKey = (useSubKey?
|
|
|
113 |
new EncryptionKey(tgsCred.getSessionKey()):
|
|
|
114 |
null);
|
|
|
115 |
|
|
|
116 |
SeqNumber seqNum = new LocalSeqNumber();
|
|
|
117 |
|
|
|
118 |
init(apOptions,
|
|
|
119 |
tgsCred,
|
|
|
120 |
cksum,
|
|
|
121 |
subKey,
|
|
|
122 |
seqNum,
|
|
|
123 |
null, // AuthorizationData authzData
|
|
|
124 |
KeyUsage.KU_AP_REQ_AUTHENTICATOR);
|
|
|
125 |
|
|
|
126 |
}
|
|
|
127 |
|
|
|
128 |
/**
|
|
|
129 |
* Contructs a AP-REQ message from the bytes received from the
|
|
|
130 |
* peer.
|
|
|
131 |
* @param message The message received from the peer
|
|
|
132 |
* @param keys <code>EncrtyptionKey</code>s to decrypt the message;
|
|
|
133 |
* key selected will depend on etype used to encrypte data
|
|
|
134 |
* @throws KrbException for any Kerberos protocol specific error
|
|
|
135 |
* @throws IOException for any IO related errors
|
|
|
136 |
* (e.g. socket operations)
|
|
|
137 |
*/
|
|
|
138 |
// Used in InitSecContextToken (for AP_REQ and not TGS REQ)
|
|
|
139 |
public KrbApReq(byte[] message,
|
|
|
140 |
EncryptionKey[] keys,
|
|
|
141 |
InetAddress initiator)
|
|
|
142 |
throws KrbException, IOException {
|
|
|
143 |
obuf = message;
|
|
|
144 |
if (apReqMessg == null)
|
|
|
145 |
decode();
|
|
|
146 |
authenticate(keys, initiator);
|
|
|
147 |
}
|
|
|
148 |
|
|
|
149 |
/**
|
|
|
150 |
* Contructs a AP-REQ message from the bytes received from the
|
|
|
151 |
* peer.
|
|
|
152 |
* @param value The <code>DerValue</code> that contains the
|
|
|
153 |
* DER enoded AP-REQ protocol message
|
|
|
154 |
* @param keys <code>EncrtyptionKey</code>s to decrypt the message;
|
|
|
155 |
*
|
|
|
156 |
* @throws KrbException for any Kerberos protocol specific error
|
|
|
157 |
* @throws IOException for any IO related errors
|
|
|
158 |
* (e.g. socket operations)
|
|
|
159 |
*/
|
|
|
160 |
/*
|
|
|
161 |
public KrbApReq(DerValue value, EncryptionKey[] key, InetAddress initiator)
|
|
|
162 |
throws KrbException, IOException {
|
|
|
163 |
obuf = value.toByteArray();
|
|
|
164 |
if (apReqMessg == null)
|
|
|
165 |
decode(value);
|
|
|
166 |
authenticate(keys, initiator);
|
|
|
167 |
}
|
|
|
168 |
|
|
|
169 |
KrbApReq(APOptions options,
|
|
|
170 |
Credentials tgs_creds,
|
|
|
171 |
Checksum cksum,
|
|
|
172 |
EncryptionKey subKey,
|
|
|
173 |
SeqNumber seqNumber,
|
|
|
174 |
AuthorizationData authorizationData)
|
|
|
175 |
throws KrbException, IOException {
|
|
|
176 |
init(options, tgs_creds, cksum, subKey, seqNumber, authorizationData);
|
|
|
177 |
}
|
|
|
178 |
*/
|
|
|
179 |
|
|
|
180 |
/** used by KrbTgsReq **/
|
|
|
181 |
KrbApReq(APOptions apOptions,
|
|
|
182 |
Ticket ticket,
|
|
|
183 |
EncryptionKey key,
|
|
|
184 |
Realm crealm,
|
|
|
185 |
PrincipalName cname,
|
|
|
186 |
Checksum cksum,
|
|
|
187 |
KerberosTime ctime,
|
|
|
188 |
EncryptionKey subKey,
|
|
|
189 |
SeqNumber seqNumber,
|
|
|
190 |
AuthorizationData authorizationData)
|
|
|
191 |
throws Asn1Exception, IOException,
|
|
|
192 |
KdcErrException, KrbCryptoException {
|
|
|
193 |
|
|
|
194 |
init(apOptions, ticket, key, crealm, cname,
|
|
|
195 |
cksum, ctime, subKey, seqNumber, authorizationData,
|
|
|
196 |
KeyUsage.KU_PA_TGS_REQ_AUTHENTICATOR);
|
|
|
197 |
|
|
|
198 |
}
|
|
|
199 |
|
|
|
200 |
private void init(APOptions options,
|
|
|
201 |
Credentials tgs_creds,
|
|
|
202 |
Checksum cksum,
|
|
|
203 |
EncryptionKey subKey,
|
|
|
204 |
SeqNumber seqNumber,
|
|
|
205 |
AuthorizationData authorizationData,
|
|
|
206 |
int usage)
|
|
|
207 |
throws KrbException, IOException {
|
|
|
208 |
|
|
|
209 |
ctime = new KerberosTime(KerberosTime.NOW);
|
|
|
210 |
init(options,
|
|
|
211 |
tgs_creds.ticket,
|
|
|
212 |
tgs_creds.key,
|
|
|
213 |
tgs_creds.client.getRealm(),
|
|
|
214 |
tgs_creds.client,
|
|
|
215 |
cksum,
|
|
|
216 |
ctime,
|
|
|
217 |
subKey,
|
|
|
218 |
seqNumber,
|
|
|
219 |
authorizationData,
|
|
|
220 |
usage);
|
|
|
221 |
}
|
|
|
222 |
|
|
|
223 |
private void init(APOptions apOptions,
|
|
|
224 |
Ticket ticket,
|
|
|
225 |
EncryptionKey key,
|
|
|
226 |
Realm crealm,
|
|
|
227 |
PrincipalName cname,
|
|
|
228 |
Checksum cksum,
|
|
|
229 |
KerberosTime ctime,
|
|
|
230 |
EncryptionKey subKey,
|
|
|
231 |
SeqNumber seqNumber,
|
|
|
232 |
AuthorizationData authorizationData,
|
|
|
233 |
int usage)
|
|
|
234 |
throws Asn1Exception, IOException,
|
|
|
235 |
KdcErrException, KrbCryptoException {
|
|
|
236 |
|
|
|
237 |
createMessage(apOptions, ticket, key, crealm, cname,
|
|
|
238 |
cksum, ctime, subKey, seqNumber, authorizationData,
|
|
|
239 |
usage);
|
|
|
240 |
obuf = apReqMessg.asn1Encode();
|
|
|
241 |
}
|
|
|
242 |
|
|
|
243 |
|
|
|
244 |
void decode() throws KrbException, IOException {
|
|
|
245 |
DerValue encoding = new DerValue(obuf);
|
|
|
246 |
decode(encoding);
|
|
|
247 |
}
|
|
|
248 |
|
|
|
249 |
void decode(DerValue encoding) throws KrbException, IOException {
|
|
|
250 |
apReqMessg = null;
|
|
|
251 |
try {
|
|
|
252 |
apReqMessg = new APReq(encoding);
|
|
|
253 |
} catch (Asn1Exception e) {
|
|
|
254 |
apReqMessg = null;
|
|
|
255 |
KRBError err = new KRBError(encoding);
|
|
|
256 |
String errStr = err.getErrorString();
|
|
|
257 |
String eText;
|
|
|
258 |
if (errStr.charAt(errStr.length() - 1) == 0)
|
|
|
259 |
eText = errStr.substring(0, errStr.length() - 1);
|
|
|
260 |
else
|
|
|
261 |
eText = errStr;
|
|
|
262 |
KrbException ke = new KrbException(err.getErrorCode(), eText);
|
|
|
263 |
ke.initCause(e);
|
|
|
264 |
throw ke;
|
|
|
265 |
}
|
|
|
266 |
}
|
|
|
267 |
|
|
|
268 |
private void authenticate(EncryptionKey[] keys, InetAddress initiator)
|
|
|
269 |
throws KrbException, IOException {
|
|
|
270 |
int encPartKeyType = apReqMessg.ticket.encPart.getEType();
|
|
|
271 |
EncryptionKey dkey = EncryptionKey.findKey(encPartKeyType, keys);
|
|
|
272 |
|
|
|
273 |
if (dkey == null) {
|
|
|
274 |
throw new KrbException(Krb5.API_INVALID_ARG,
|
|
|
275 |
"Cannot find key of appropriate type to decrypt AP REP - " +
|
|
|
276 |
EType.toString(encPartKeyType));
|
|
|
277 |
}
|
|
|
278 |
|
|
|
279 |
byte[] bytes = apReqMessg.ticket.encPart.decrypt(dkey,
|
|
|
280 |
KeyUsage.KU_TICKET);
|
|
|
281 |
byte[] temp = apReqMessg.ticket.encPart.reset(bytes, true);
|
|
|
282 |
EncTicketPart enc_ticketPart = new EncTicketPart(temp);
|
|
|
283 |
|
|
|
284 |
checkPermittedEType(enc_ticketPart.key.getEType());
|
|
|
285 |
|
|
|
286 |
byte[] bytes2 = apReqMessg.authenticator.decrypt(enc_ticketPart.key,
|
|
|
287 |
KeyUsage.KU_AP_REQ_AUTHENTICATOR);
|
|
|
288 |
byte[] temp2 = apReqMessg.authenticator.reset(bytes2, true);
|
|
|
289 |
authenticator = new Authenticator(temp2);
|
|
|
290 |
ctime = authenticator.ctime;
|
|
|
291 |
cusec = authenticator.cusec;
|
|
|
292 |
authenticator.ctime.setMicroSeconds(authenticator.cusec);
|
|
|
293 |
authenticator.cname.setRealm(authenticator.crealm);
|
|
|
294 |
apReqMessg.ticket.sname.setRealm(apReqMessg.ticket.realm);
|
|
|
295 |
enc_ticketPart.cname.setRealm(enc_ticketPart.crealm);
|
|
|
296 |
|
|
|
297 |
Config.getInstance().resetDefaultRealm(apReqMessg.ticket.realm.toString());
|
|
|
298 |
|
|
|
299 |
if (!authenticator.cname.equals(enc_ticketPart.cname))
|
|
|
300 |
throw new KrbApErrException(Krb5.KRB_AP_ERR_BADMATCH);
|
|
|
301 |
|
|
|
302 |
KerberosTime currTime = new KerberosTime(KerberosTime.NOW);
|
|
|
303 |
if (!authenticator.ctime.inClockSkew(currTime))
|
|
|
304 |
throw new KrbApErrException(Krb5.KRB_AP_ERR_SKEW);
|
|
|
305 |
|
|
|
306 |
// start to check if it is a replay attack.
|
|
|
307 |
AuthTime time =
|
|
|
308 |
new AuthTime(authenticator.ctime.getTime(), authenticator.cusec);
|
|
|
309 |
String client = authenticator.cname.toString();
|
|
|
310 |
if (table.get(time, authenticator.cname.toString()) != null) {
|
|
|
311 |
throw new KrbApErrException(Krb5.KRB_AP_ERR_REPEAT);
|
|
|
312 |
} else {
|
|
|
313 |
table.put(client, time, currTime.getTime());
|
|
|
314 |
}
|
|
|
315 |
|
|
|
316 |
// check to use addresses in tickets
|
|
|
317 |
if (Config.getInstance().useAddresses()) {
|
|
|
318 |
KDC_EMPTY_ADDRESSES_ALLOWED = false;
|
|
|
319 |
}
|
|
|
320 |
|
|
|
321 |
// sender host address
|
|
|
322 |
HostAddress sender = null;
|
|
|
323 |
if (initiator != null) {
|
|
|
324 |
sender = new HostAddress(initiator);
|
|
|
325 |
}
|
|
|
326 |
|
|
|
327 |
if (sender != null || !KDC_EMPTY_ADDRESSES_ALLOWED) {
|
|
|
328 |
if (enc_ticketPart.caddr != null) {
|
|
|
329 |
if (sender == null)
|
|
|
330 |
throw new KrbApErrException(Krb5.KRB_AP_ERR_BADADDR);
|
|
|
331 |
if (!enc_ticketPart.caddr.inList(sender))
|
|
|
332 |
throw new KrbApErrException(Krb5.KRB_AP_ERR_BADADDR);
|
|
|
333 |
}
|
|
|
334 |
}
|
|
|
335 |
|
|
|
336 |
// XXX check for repeated authenticator
|
|
|
337 |
// if found
|
|
|
338 |
// throw new KrbApErrException(Krb5.KRB_AP_ERR_REPEAT);
|
|
|
339 |
// else
|
|
|
340 |
// save authenticator to check for later
|
|
|
341 |
|
|
|
342 |
KerberosTime now = new KerberosTime(KerberosTime.NOW);
|
|
|
343 |
|
|
|
344 |
if ((enc_ticketPart.starttime != null &&
|
|
|
345 |
enc_ticketPart.starttime.greaterThanWRTClockSkew(now)) ||
|
|
|
346 |
enc_ticketPart.flags.get(Krb5.TKT_OPTS_INVALID))
|
|
|
347 |
throw new KrbApErrException(Krb5.KRB_AP_ERR_TKT_NYV);
|
|
|
348 |
|
|
|
349 |
// if the current time is later than end time by more
|
|
|
350 |
// than the allowable clock skew, throws ticket expired exception.
|
|
|
351 |
if (enc_ticketPart.endtime != null &&
|
|
|
352 |
now.greaterThanWRTClockSkew(enc_ticketPart.endtime)) {
|
|
|
353 |
throw new KrbApErrException(Krb5.KRB_AP_ERR_TKT_EXPIRED);
|
|
|
354 |
}
|
|
|
355 |
|
|
|
356 |
creds = new Credentials(
|
|
|
357 |
apReqMessg.ticket,
|
|
|
358 |
authenticator.cname,
|
|
|
359 |
apReqMessg.ticket.sname,
|
|
|
360 |
enc_ticketPart.key,
|
|
|
361 |
null,
|
|
|
362 |
enc_ticketPart.authtime,
|
|
|
363 |
enc_ticketPart.starttime,
|
|
|
364 |
enc_ticketPart.endtime,
|
|
|
365 |
enc_ticketPart.renewTill,
|
|
|
366 |
enc_ticketPart.caddr);
|
|
|
367 |
if (DEBUG) {
|
|
|
368 |
System.out.println(">>> KrbApReq: authenticate succeed.");
|
|
|
369 |
}
|
|
|
370 |
}
|
|
|
371 |
|
|
|
372 |
/**
|
|
|
373 |
* Returns the credentials that are contained in the ticket that
|
|
|
374 |
* is part of this this AP-REP.
|
|
|
375 |
*/
|
|
|
376 |
public Credentials getCreds() {
|
|
|
377 |
return creds;
|
|
|
378 |
}
|
|
|
379 |
|
|
|
380 |
KerberosTime getCtime() {
|
|
|
381 |
if (ctime != null)
|
|
|
382 |
return ctime;
|
|
|
383 |
return authenticator.ctime;
|
|
|
384 |
}
|
|
|
385 |
|
|
|
386 |
int cusec() {
|
|
|
387 |
return cusec;
|
|
|
388 |
}
|
|
|
389 |
|
|
|
390 |
APOptions getAPOptions() throws KrbException, IOException {
|
|
|
391 |
if (apReqMessg == null)
|
|
|
392 |
decode();
|
|
|
393 |
if (apReqMessg != null)
|
|
|
394 |
return apReqMessg.apOptions;
|
|
|
395 |
return null;
|
|
|
396 |
}
|
|
|
397 |
|
|
|
398 |
/**
|
|
|
399 |
* Returns true if mutual authentication is required and hence an
|
|
|
400 |
* AP-REP will need to be generated.
|
|
|
401 |
* @throws KrbException
|
|
|
402 |
* @throws IOException
|
|
|
403 |
*/
|
|
|
404 |
public boolean getMutualAuthRequired() throws KrbException, IOException {
|
|
|
405 |
if (apReqMessg == null)
|
|
|
406 |
decode();
|
|
|
407 |
if (apReqMessg != null)
|
|
|
408 |
return apReqMessg.apOptions.get(Krb5.AP_OPTS_MUTUAL_REQUIRED);
|
|
|
409 |
return false;
|
|
|
410 |
}
|
|
|
411 |
|
|
|
412 |
boolean useSessionKey() throws KrbException, IOException {
|
|
|
413 |
if (apReqMessg == null)
|
|
|
414 |
decode();
|
|
|
415 |
if (apReqMessg != null)
|
|
|
416 |
return apReqMessg.apOptions.get(Krb5.AP_OPTS_USE_SESSION_KEY);
|
|
|
417 |
return false;
|
|
|
418 |
}
|
|
|
419 |
|
|
|
420 |
/**
|
|
|
421 |
* Returns the optional subkey stored in the Authenticator for
|
|
|
422 |
* this message. Returns null if none is stored.
|
|
|
423 |
*/
|
|
|
424 |
public EncryptionKey getSubKey() {
|
|
|
425 |
// XXX Can authenticator be null
|
|
|
426 |
return authenticator.getSubKey();
|
|
|
427 |
}
|
|
|
428 |
|
|
|
429 |
/**
|
|
|
430 |
* Returns the optional sequence number stored in the
|
|
|
431 |
* Authenticator for this message. Returns null if none is
|
|
|
432 |
* stored.
|
|
|
433 |
*/
|
|
|
434 |
public Integer getSeqNumber() {
|
|
|
435 |
// XXX Can authenticator be null
|
|
|
436 |
return authenticator.getSeqNumber();
|
|
|
437 |
}
|
|
|
438 |
|
|
|
439 |
/**
|
|
|
440 |
* Returns the optional Checksum stored in the
|
|
|
441 |
* Authenticator for this message. Returns null if none is
|
|
|
442 |
* stored.
|
|
|
443 |
*/
|
|
|
444 |
public Checksum getChecksum() {
|
|
|
445 |
return authenticator.getChecksum();
|
|
|
446 |
}
|
|
|
447 |
|
|
|
448 |
/**
|
|
|
449 |
* Returns the ASN.1 encoding that should be sent to the peer.
|
|
|
450 |
*/
|
|
|
451 |
public byte[] getMessage() {
|
|
|
452 |
return obuf;
|
|
|
453 |
}
|
|
|
454 |
|
|
|
455 |
/**
|
|
|
456 |
* Returns the principal name of the client that generated this
|
|
|
457 |
* message.
|
|
|
458 |
*/
|
|
|
459 |
public PrincipalName getClient() {
|
|
|
460 |
return creds.getClient();
|
|
|
461 |
}
|
|
|
462 |
|
|
|
463 |
private void createMessage(APOptions apOptions,
|
|
|
464 |
Ticket ticket,
|
|
|
465 |
EncryptionKey key,
|
|
|
466 |
Realm crealm,
|
|
|
467 |
PrincipalName cname,
|
|
|
468 |
Checksum cksum,
|
|
|
469 |
KerberosTime ctime,
|
|
|
470 |
EncryptionKey subKey,
|
|
|
471 |
SeqNumber seqNumber,
|
|
|
472 |
AuthorizationData authorizationData,
|
|
|
473 |
int usage)
|
|
|
474 |
throws Asn1Exception, IOException,
|
|
|
475 |
KdcErrException, KrbCryptoException {
|
|
|
476 |
|
|
|
477 |
Integer seqno = null;
|
|
|
478 |
|
|
|
479 |
if (seqNumber != null)
|
|
|
480 |
seqno = new Integer(seqNumber.current());
|
|
|
481 |
|
|
|
482 |
authenticator =
|
|
|
483 |
new Authenticator(crealm,
|
|
|
484 |
cname,
|
|
|
485 |
cksum,
|
|
|
486 |
ctime.getMicroSeconds(),
|
|
|
487 |
ctime,
|
|
|
488 |
subKey,
|
|
|
489 |
seqno,
|
|
|
490 |
authorizationData);
|
|
|
491 |
|
|
|
492 |
byte[] temp = authenticator.asn1Encode();
|
|
|
493 |
|
|
|
494 |
EncryptedData encAuthenticator =
|
|
|
495 |
new EncryptedData(key, temp, usage);
|
|
|
496 |
|
|
|
497 |
apReqMessg =
|
|
|
498 |
new APReq(apOptions, ticket, encAuthenticator);
|
|
|
499 |
}
|
|
|
500 |
|
|
|
501 |
// Check that key is one of the permitted types
|
|
|
502 |
private static void checkPermittedEType(int target) throws KrbException {
|
|
|
503 |
int[] etypes = EType.getDefaults("permitted_enctypes");
|
|
|
504 |
if (etypes == null) {
|
|
|
505 |
throw new KrbException(
|
|
|
506 |
"No supported encryption types listed in permitted_enctypes");
|
|
|
507 |
}
|
|
|
508 |
if (!EType.isSupported(target, etypes)) {
|
|
|
509 |
throw new KrbException(EType.toString(target) +
|
|
|
510 |
" encryption type not in permitted_enctypes list");
|
|
|
511 |
}
|
|
|
512 |
}
|
|
|
513 |
}
|