author | weijun |
Wed, 07 Nov 2012 14:13:01 +0800 | |
changeset 14413 | e954df027393 |
parent 14342 | 8435a30053c1 |
child 15006 | 10d6aacdd67f |
permissions | -rw-r--r-- |
2 | 1 |
/* |
14342
8435a30053c1
7197491: update copyright year to match last edit in jdk8 jdk repository
alanb
parents:
13247
diff
changeset
|
2 |
* Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved. |
2 | 3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
5506 | 7 |
* published by the Free Software Foundation. Oracle designates this |
2 | 8 |
* particular file as subject to the "Classpath" exception as provided |
5506 | 9 |
* by Oracle in the LICENSE file that accompanied this code. |
2 | 10 |
* |
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
15 |
* accompanied this code). |
|
16 |
* |
|
17 |
* You should have received a copy of the GNU General Public License version |
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 |
* |
|
5506 | 21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
22 |
* or visit www.oracle.com if you need additional information or have any |
|
23 |
* questions. |
|
2 | 24 |
*/ |
25 |
||
26 |
/* |
|
27 |
* |
|
28 |
* (C) Copyright IBM Corp. 1999 All Rights Reserved. |
|
29 |
* Copyright 1997 The Open Group Research Institute. All rights reserved. |
|
30 |
*/ |
|
31 |
||
32 |
package sun.security.krb5; |
|
33 |
||
34 |
import sun.security.krb5.internal.*; |
|
35 |
import sun.security.krb5.internal.crypto.*; |
|
36 |
import sun.security.krb5.internal.rcache.*; |
|
37 |
import java.net.InetAddress; |
|
38 |
import sun.security.util.*; |
|
39 |
import java.io.IOException; |
|
9240
56e01f64958e
7032354: no-addresses should not be used on acceptor side
weijun
parents:
5975
diff
changeset
|
40 |
import java.util.Arrays; |
2 | 41 |
|
42 |
/** |
|
43 |
* This class encapsulates a KRB-AP-REQ that a client sends to a |
|
44 |
* server for authentication. |
|
45 |
*/ |
|
46 |
public class KrbApReq { |
|
47 |
||
48 |
private byte[] obuf; |
|
49 |
private KerberosTime ctime; |
|
50 |
private int cusec; |
|
51 |
private Authenticator authenticator; |
|
52 |
private Credentials creds; |
|
53 |
private APReq apReqMessg; |
|
54 |
||
55 |
private static CacheTable table = new CacheTable(); |
|
56 |
private static boolean DEBUG = Krb5.DEBUG; |
|
57 |
||
58 |
/** |
|
59 |
* Contructs a AP-REQ message to send to the peer. |
|
60 |
* @param tgsCred the <code>Credentials</code> to be used to construct the |
|
61 |
* AP Request protocol message. |
|
62 |
* @param mutualRequired Whether mutual authentication is required |
|
63 |
* @param useSubkey Whether the subkey is to be used to protect this |
|
64 |
* specific application session. If this is not set then the |
|
65 |
* session key from the ticket will be used. |
|
66 |
* @throws KrbException for any Kerberos protocol specific error |
|
67 |
* @throws IOException for any IO related errors |
|
68 |
* (e.g. socket operations) |
|
69 |
*/ |
|
70 |
/* |
|
71 |
// Not Used |
|
72 |
public KrbApReq(Credentials tgsCred, |
|
73 |
boolean mutualRequired, |
|
74 |
boolean useSubKey, |
|
75 |
boolean useSeqNumber) throws Asn1Exception, |
|
76 |
KrbCryptoException, KrbException, IOException { |
|
77 |
||
78 |
this(tgsCred, mutualRequired, useSubKey, useSeqNumber, null); |
|
79 |
} |
|
80 |
*/ |
|
81 |
||
82 |
/** |
|
83 |
* Contructs a AP-REQ message to send to the peer. |
|
84 |
* @param tgsCred the <code>Credentials</code> to be used to construct the |
|
85 |
* AP Request protocol message. |
|
86 |
* @param mutualRequired Whether mutual authentication is required |
|
87 |
* @param useSubkey Whether the subkey is to be used to protect this |
|
88 |
* specific application session. If this is not set then the |
|
89 |
* session key from the ticket will be used. |
|
90 |
* @param checksum checksum of the the application data that accompanies |
|
91 |
* the KRB_AP_REQ. |
|
92 |
* @throws KrbException for any Kerberos protocol specific error |
|
93 |
* @throws IOException for any IO related errors |
|
94 |
* (e.g. socket operations) |
|
95 |
*/ |
|
96 |
// Used in InitSecContextToken |
|
97 |
public KrbApReq(Credentials tgsCred, |
|
98 |
boolean mutualRequired, |
|
99 |
boolean useSubKey, |
|
100 |
boolean useSeqNumber, |
|
101 |
Checksum cksum) throws Asn1Exception, |
|
102 |
KrbCryptoException, KrbException, IOException { |
|
103 |
||
104 |
APOptions apOptions = (mutualRequired? |
|
105 |
new APOptions(Krb5.AP_OPTS_MUTUAL_REQUIRED): |
|
106 |
new APOptions()); |
|
107 |
if (DEBUG) |
|
108 |
System.out.println(">>> KrbApReq: APOptions are " + apOptions); |
|
109 |
||
110 |
EncryptionKey subKey = (useSubKey? |
|
111 |
new EncryptionKey(tgsCred.getSessionKey()): |
|
112 |
null); |
|
113 |
||
114 |
SeqNumber seqNum = new LocalSeqNumber(); |
|
115 |
||
116 |
init(apOptions, |
|
117 |
tgsCred, |
|
118 |
cksum, |
|
119 |
subKey, |
|
120 |
seqNum, |
|
121 |
null, // AuthorizationData authzData |
|
122 |
KeyUsage.KU_AP_REQ_AUTHENTICATOR); |
|
123 |
||
124 |
} |
|
125 |
||
126 |
/** |
|
127 |
* Contructs a AP-REQ message from the bytes received from the |
|
128 |
* peer. |
|
129 |
* @param message The message received from the peer |
|
130 |
* @param keys <code>EncrtyptionKey</code>s to decrypt the message; |
|
131 |
* key selected will depend on etype used to encrypte data |
|
132 |
* @throws KrbException for any Kerberos protocol specific error |
|
133 |
* @throws IOException for any IO related errors |
|
134 |
* (e.g. socket operations) |
|
135 |
*/ |
|
136 |
// Used in InitSecContextToken (for AP_REQ and not TGS REQ) |
|
137 |
public KrbApReq(byte[] message, |
|
138 |
EncryptionKey[] keys, |
|
139 |
InetAddress initiator) |
|
140 |
throws KrbException, IOException { |
|
141 |
obuf = message; |
|
142 |
if (apReqMessg == null) |
|
143 |
decode(); |
|
144 |
authenticate(keys, initiator); |
|
145 |
} |
|
146 |
||
147 |
/** |
|
148 |
* Contructs a AP-REQ message from the bytes received from the |
|
149 |
* peer. |
|
150 |
* @param value The <code>DerValue</code> that contains the |
|
151 |
* DER enoded AP-REQ protocol message |
|
152 |
* @param keys <code>EncrtyptionKey</code>s to decrypt the message; |
|
153 |
* |
|
154 |
* @throws KrbException for any Kerberos protocol specific error |
|
155 |
* @throws IOException for any IO related errors |
|
156 |
* (e.g. socket operations) |
|
157 |
*/ |
|
158 |
/* |
|
159 |
public KrbApReq(DerValue value, EncryptionKey[] key, InetAddress initiator) |
|
160 |
throws KrbException, IOException { |
|
161 |
obuf = value.toByteArray(); |
|
162 |
if (apReqMessg == null) |
|
163 |
decode(value); |
|
164 |
authenticate(keys, initiator); |
|
165 |
} |
|
166 |
||
167 |
KrbApReq(APOptions options, |
|
168 |
Credentials tgs_creds, |
|
169 |
Checksum cksum, |
|
170 |
EncryptionKey subKey, |
|
171 |
SeqNumber seqNumber, |
|
172 |
AuthorizationData authorizationData) |
|
173 |
throws KrbException, IOException { |
|
174 |
init(options, tgs_creds, cksum, subKey, seqNumber, authorizationData); |
|
175 |
} |
|
176 |
*/ |
|
177 |
||
178 |
/** used by KrbTgsReq **/ |
|
179 |
KrbApReq(APOptions apOptions, |
|
180 |
Ticket ticket, |
|
181 |
EncryptionKey key, |
|
182 |
PrincipalName cname, |
|
183 |
Checksum cksum, |
|
184 |
KerberosTime ctime, |
|
185 |
EncryptionKey subKey, |
|
186 |
SeqNumber seqNumber, |
|
187 |
AuthorizationData authorizationData) |
|
188 |
throws Asn1Exception, IOException, |
|
189 |
KdcErrException, KrbCryptoException { |
|
190 |
||
13247 | 191 |
init(apOptions, ticket, key, cname, |
2 | 192 |
cksum, ctime, subKey, seqNumber, authorizationData, |
193 |
KeyUsage.KU_PA_TGS_REQ_AUTHENTICATOR); |
|
194 |
||
195 |
} |
|
196 |
||
197 |
private void init(APOptions options, |
|
198 |
Credentials tgs_creds, |
|
199 |
Checksum cksum, |
|
200 |
EncryptionKey subKey, |
|
201 |
SeqNumber seqNumber, |
|
202 |
AuthorizationData authorizationData, |
|
203 |
int usage) |
|
204 |
throws KrbException, IOException { |
|
205 |
||
206 |
ctime = new KerberosTime(KerberosTime.NOW); |
|
207 |
init(options, |
|
208 |
tgs_creds.ticket, |
|
209 |
tgs_creds.key, |
|
210 |
tgs_creds.client, |
|
211 |
cksum, |
|
212 |
ctime, |
|
213 |
subKey, |
|
214 |
seqNumber, |
|
215 |
authorizationData, |
|
216 |
usage); |
|
217 |
} |
|
218 |
||
219 |
private void init(APOptions apOptions, |
|
220 |
Ticket ticket, |
|
221 |
EncryptionKey key, |
|
222 |
PrincipalName cname, |
|
223 |
Checksum cksum, |
|
224 |
KerberosTime ctime, |
|
225 |
EncryptionKey subKey, |
|
226 |
SeqNumber seqNumber, |
|
227 |
AuthorizationData authorizationData, |
|
228 |
int usage) |
|
229 |
throws Asn1Exception, IOException, |
|
230 |
KdcErrException, KrbCryptoException { |
|
231 |
||
13247 | 232 |
createMessage(apOptions, ticket, key, cname, |
2 | 233 |
cksum, ctime, subKey, seqNumber, authorizationData, |
234 |
usage); |
|
235 |
obuf = apReqMessg.asn1Encode(); |
|
236 |
} |
|
237 |
||
238 |
||
239 |
void decode() throws KrbException, IOException { |
|
240 |
DerValue encoding = new DerValue(obuf); |
|
241 |
decode(encoding); |
|
242 |
} |
|
243 |
||
244 |
void decode(DerValue encoding) throws KrbException, IOException { |
|
245 |
apReqMessg = null; |
|
246 |
try { |
|
247 |
apReqMessg = new APReq(encoding); |
|
248 |
} catch (Asn1Exception e) { |
|
249 |
apReqMessg = null; |
|
250 |
KRBError err = new KRBError(encoding); |
|
251 |
String errStr = err.getErrorString(); |
|
252 |
String eText; |
|
253 |
if (errStr.charAt(errStr.length() - 1) == 0) |
|
254 |
eText = errStr.substring(0, errStr.length() - 1); |
|
255 |
else |
|
256 |
eText = errStr; |
|
257 |
KrbException ke = new KrbException(err.getErrorCode(), eText); |
|
258 |
ke.initCause(e); |
|
259 |
throw ke; |
|
260 |
} |
|
261 |
} |
|
262 |
||
263 |
private void authenticate(EncryptionKey[] keys, InetAddress initiator) |
|
264 |
throws KrbException, IOException { |
|
265 |
int encPartKeyType = apReqMessg.ticket.encPart.getEType(); |
|
4168
1a8d21bb898c
6893158: AP_REQ check should use key version number
weijun
parents:
3483
diff
changeset
|
266 |
Integer kvno = apReqMessg.ticket.encPart.getKeyVersionNumber(); |
1a8d21bb898c
6893158: AP_REQ check should use key version number
weijun
parents:
3483
diff
changeset
|
267 |
EncryptionKey dkey = EncryptionKey.findKey(encPartKeyType, kvno, keys); |
2 | 268 |
|
269 |
if (dkey == null) { |
|
270 |
throw new KrbException(Krb5.API_INVALID_ARG, |
|
271 |
"Cannot find key of appropriate type to decrypt AP REP - " + |
|
272 |
EType.toString(encPartKeyType)); |
|
273 |
} |
|
274 |
||
275 |
byte[] bytes = apReqMessg.ticket.encPart.decrypt(dkey, |
|
276 |
KeyUsage.KU_TICKET); |
|
5975
076cd013e5e4
6946669: SSL/Krb5 should not call EncryptedData.reset(data, false)
weijun
parents:
5506
diff
changeset
|
277 |
byte[] temp = apReqMessg.ticket.encPart.reset(bytes); |
2 | 278 |
EncTicketPart enc_ticketPart = new EncTicketPart(temp); |
279 |
||
280 |
checkPermittedEType(enc_ticketPart.key.getEType()); |
|
281 |
||
282 |
byte[] bytes2 = apReqMessg.authenticator.decrypt(enc_ticketPart.key, |
|
283 |
KeyUsage.KU_AP_REQ_AUTHENTICATOR); |
|
5975
076cd013e5e4
6946669: SSL/Krb5 should not call EncryptedData.reset(data, false)
weijun
parents:
5506
diff
changeset
|
284 |
byte[] temp2 = apReqMessg.authenticator.reset(bytes2); |
2 | 285 |
authenticator = new Authenticator(temp2); |
286 |
ctime = authenticator.ctime; |
|
287 |
cusec = authenticator.cusec; |
|
288 |
authenticator.ctime.setMicroSeconds(authenticator.cusec); |
|
289 |
||
14413
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
14342
diff
changeset
|
290 |
if (!authenticator.cname.equals(enc_ticketPart.cname)) { |
2 | 291 |
throw new KrbApErrException(Krb5.KRB_AP_ERR_BADMATCH); |
14413
e954df027393
6355584: Introduce constrained Kerberos delegation
weijun
parents:
14342
diff
changeset
|
292 |
} |
2 | 293 |
|
294 |
KerberosTime currTime = new KerberosTime(KerberosTime.NOW); |
|
295 |
if (!authenticator.ctime.inClockSkew(currTime)) |
|
296 |
throw new KrbApErrException(Krb5.KRB_AP_ERR_SKEW); |
|
297 |
||
298 |
// start to check if it is a replay attack. |
|
299 |
AuthTime time = |
|
300 |
new AuthTime(authenticator.ctime.getTime(), authenticator.cusec); |
|
301 |
String client = authenticator.cname.toString(); |
|
302 |
if (table.get(time, authenticator.cname.toString()) != null) { |
|
303 |
throw new KrbApErrException(Krb5.KRB_AP_ERR_REPEAT); |
|
304 |
} else { |
|
305 |
table.put(client, time, currTime.getTime()); |
|
306 |
} |
|
307 |
||
308 |
if (initiator != null) { |
|
9240
56e01f64958e
7032354: no-addresses should not be used on acceptor side
weijun
parents:
5975
diff
changeset
|
309 |
// sender host address |
56e01f64958e
7032354: no-addresses should not be used on acceptor side
weijun
parents:
5975
diff
changeset
|
310 |
HostAddress sender = new HostAddress(initiator); |
56e01f64958e
7032354: no-addresses should not be used on acceptor side
weijun
parents:
5975
diff
changeset
|
311 |
if (enc_ticketPart.caddr != null |
56e01f64958e
7032354: no-addresses should not be used on acceptor side
weijun
parents:
5975
diff
changeset
|
312 |
&& !enc_ticketPart.caddr.inList(sender)) { |
56e01f64958e
7032354: no-addresses should not be used on acceptor side
weijun
parents:
5975
diff
changeset
|
313 |
if (DEBUG) { |
56e01f64958e
7032354: no-addresses should not be used on acceptor side
weijun
parents:
5975
diff
changeset
|
314 |
System.out.println(">>> KrbApReq: initiator is " |
56e01f64958e
7032354: no-addresses should not be used on acceptor side
weijun
parents:
5975
diff
changeset
|
315 |
+ sender.getInetAddress() |
56e01f64958e
7032354: no-addresses should not be used on acceptor side
weijun
parents:
5975
diff
changeset
|
316 |
+ ", but caddr is " |
56e01f64958e
7032354: no-addresses should not be used on acceptor side
weijun
parents:
5975
diff
changeset
|
317 |
+ Arrays.toString( |
56e01f64958e
7032354: no-addresses should not be used on acceptor side
weijun
parents:
5975
diff
changeset
|
318 |
enc_ticketPart.caddr.getInetAddresses())); |
56e01f64958e
7032354: no-addresses should not be used on acceptor side
weijun
parents:
5975
diff
changeset
|
319 |
} |
56e01f64958e
7032354: no-addresses should not be used on acceptor side
weijun
parents:
5975
diff
changeset
|
320 |
throw new KrbApErrException(Krb5.KRB_AP_ERR_BADADDR); |
2 | 321 |
} |
322 |
} |
|
323 |
||
324 |
// XXX check for repeated authenticator |
|
325 |
// if found |
|
326 |
// throw new KrbApErrException(Krb5.KRB_AP_ERR_REPEAT); |
|
327 |
// else |
|
328 |
// save authenticator to check for later |
|
329 |
||
330 |
KerberosTime now = new KerberosTime(KerberosTime.NOW); |
|
331 |
||
332 |
if ((enc_ticketPart.starttime != null && |
|
333 |
enc_ticketPart.starttime.greaterThanWRTClockSkew(now)) || |
|
334 |
enc_ticketPart.flags.get(Krb5.TKT_OPTS_INVALID)) |
|
335 |
throw new KrbApErrException(Krb5.KRB_AP_ERR_TKT_NYV); |
|
336 |
||
337 |
// if the current time is later than end time by more |
|
338 |
// than the allowable clock skew, throws ticket expired exception. |
|
339 |
if (enc_ticketPart.endtime != null && |
|
340 |
now.greaterThanWRTClockSkew(enc_ticketPart.endtime)) { |
|
341 |
throw new KrbApErrException(Krb5.KRB_AP_ERR_TKT_EXPIRED); |
|
342 |
} |
|
343 |
||
344 |
creds = new Credentials( |
|
345 |
apReqMessg.ticket, |
|
346 |
authenticator.cname, |
|
347 |
apReqMessg.ticket.sname, |
|
348 |
enc_ticketPart.key, |
|
3483
a16fce1820ef
6821190: more InquireType values for ExtendedGSSContext
weijun
parents:
3315
diff
changeset
|
349 |
enc_ticketPart.flags, |
2 | 350 |
enc_ticketPart.authtime, |
351 |
enc_ticketPart.starttime, |
|
352 |
enc_ticketPart.endtime, |
|
353 |
enc_ticketPart.renewTill, |
|
3483
a16fce1820ef
6821190: more InquireType values for ExtendedGSSContext
weijun
parents:
3315
diff
changeset
|
354 |
enc_ticketPart.caddr, |
a16fce1820ef
6821190: more InquireType values for ExtendedGSSContext
weijun
parents:
3315
diff
changeset
|
355 |
enc_ticketPart.authorizationData); |
2 | 356 |
if (DEBUG) { |
357 |
System.out.println(">>> KrbApReq: authenticate succeed."); |
|
358 |
} |
|
359 |
} |
|
360 |
||
361 |
/** |
|
362 |
* Returns the credentials that are contained in the ticket that |
|
363 |
* is part of this this AP-REP. |
|
364 |
*/ |
|
365 |
public Credentials getCreds() { |
|
366 |
return creds; |
|
367 |
} |
|
368 |
||
369 |
KerberosTime getCtime() { |
|
370 |
if (ctime != null) |
|
371 |
return ctime; |
|
372 |
return authenticator.ctime; |
|
373 |
} |
|
374 |
||
375 |
int cusec() { |
|
376 |
return cusec; |
|
377 |
} |
|
378 |
||
379 |
APOptions getAPOptions() throws KrbException, IOException { |
|
380 |
if (apReqMessg == null) |
|
381 |
decode(); |
|
382 |
if (apReqMessg != null) |
|
383 |
return apReqMessg.apOptions; |
|
384 |
return null; |
|
385 |
} |
|
386 |
||
387 |
/** |
|
388 |
* Returns true if mutual authentication is required and hence an |
|
389 |
* AP-REP will need to be generated. |
|
390 |
* @throws KrbException |
|
391 |
* @throws IOException |
|
392 |
*/ |
|
393 |
public boolean getMutualAuthRequired() throws KrbException, IOException { |
|
394 |
if (apReqMessg == null) |
|
395 |
decode(); |
|
396 |
if (apReqMessg != null) |
|
397 |
return apReqMessg.apOptions.get(Krb5.AP_OPTS_MUTUAL_REQUIRED); |
|
398 |
return false; |
|
399 |
} |
|
400 |
||
401 |
boolean useSessionKey() throws KrbException, IOException { |
|
402 |
if (apReqMessg == null) |
|
403 |
decode(); |
|
404 |
if (apReqMessg != null) |
|
405 |
return apReqMessg.apOptions.get(Krb5.AP_OPTS_USE_SESSION_KEY); |
|
406 |
return false; |
|
407 |
} |
|
408 |
||
409 |
/** |
|
410 |
* Returns the optional subkey stored in the Authenticator for |
|
411 |
* this message. Returns null if none is stored. |
|
412 |
*/ |
|
413 |
public EncryptionKey getSubKey() { |
|
414 |
// XXX Can authenticator be null |
|
415 |
return authenticator.getSubKey(); |
|
416 |
} |
|
417 |
||
418 |
/** |
|
419 |
* Returns the optional sequence number stored in the |
|
420 |
* Authenticator for this message. Returns null if none is |
|
421 |
* stored. |
|
422 |
*/ |
|
423 |
public Integer getSeqNumber() { |
|
424 |
// XXX Can authenticator be null |
|
425 |
return authenticator.getSeqNumber(); |
|
426 |
} |
|
427 |
||
428 |
/** |
|
429 |
* Returns the optional Checksum stored in the |
|
430 |
* Authenticator for this message. Returns null if none is |
|
431 |
* stored. |
|
432 |
*/ |
|
433 |
public Checksum getChecksum() { |
|
434 |
return authenticator.getChecksum(); |
|
435 |
} |
|
436 |
||
437 |
/** |
|
438 |
* Returns the ASN.1 encoding that should be sent to the peer. |
|
439 |
*/ |
|
440 |
public byte[] getMessage() { |
|
441 |
return obuf; |
|
442 |
} |
|
443 |
||
444 |
/** |
|
445 |
* Returns the principal name of the client that generated this |
|
446 |
* message. |
|
447 |
*/ |
|
448 |
public PrincipalName getClient() { |
|
449 |
return creds.getClient(); |
|
450 |
} |
|
451 |
||
452 |
private void createMessage(APOptions apOptions, |
|
453 |
Ticket ticket, |
|
454 |
EncryptionKey key, |
|
455 |
PrincipalName cname, |
|
456 |
Checksum cksum, |
|
457 |
KerberosTime ctime, |
|
458 |
EncryptionKey subKey, |
|
459 |
SeqNumber seqNumber, |
|
460 |
AuthorizationData authorizationData, |
|
461 |
int usage) |
|
462 |
throws Asn1Exception, IOException, |
|
463 |
KdcErrException, KrbCryptoException { |
|
464 |
||
465 |
Integer seqno = null; |
|
466 |
||
467 |
if (seqNumber != null) |
|
468 |
seqno = new Integer(seqNumber.current()); |
|
469 |
||
470 |
authenticator = |
|
13247 | 471 |
new Authenticator(cname, |
2 | 472 |
cksum, |
473 |
ctime.getMicroSeconds(), |
|
474 |
ctime, |
|
475 |
subKey, |
|
476 |
seqno, |
|
477 |
authorizationData); |
|
478 |
||
479 |
byte[] temp = authenticator.asn1Encode(); |
|
480 |
||
481 |
EncryptedData encAuthenticator = |
|
482 |
new EncryptedData(key, temp, usage); |
|
483 |
||
484 |
apReqMessg = |
|
485 |
new APReq(apOptions, ticket, encAuthenticator); |
|
486 |
} |
|
487 |
||
488 |
// Check that key is one of the permitted types |
|
489 |
private static void checkPermittedEType(int target) throws KrbException { |
|
490 |
int[] etypes = EType.getDefaults("permitted_enctypes"); |
|
491 |
if (etypes == null) { |
|
492 |
throw new KrbException( |
|
493 |
"No supported encryption types listed in permitted_enctypes"); |
|
494 |
} |
|
495 |
if (!EType.isSupported(target, etypes)) { |
|
496 |
throw new KrbException(EType.toString(target) + |
|
497 |
" encryption type not in permitted_enctypes list"); |
|
498 |
} |
|
499 |
} |
|
500 |
} |