6959292: regression: cannot login if session key and preauth does not use the same etype
Reviewed-by: xuelei, valeriep
/*
* Copyright (c) 2000, 2009, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
/*
*
* (C) Copyright IBM Corp. 1999 All Rights Reserved.
* Copyright 1997 The Open Group Research Institute. All rights reserved.
*/
package sun.security.krb5;
import sun.security.krb5.internal.*;
import sun.security.krb5.internal.ccache.CredentialsCache;
import sun.security.krb5.internal.ktab.*;
import sun.security.krb5.internal.crypto.EType;
import java.io.File;
import java.io.IOException;
import java.util.Date;
import java.net.InetAddress;
/**
* This class encapsulates the concept of a Kerberos service
* credential. That includes a Kerberos ticket and an associated
* session key.
*/
public class Credentials {
Ticket ticket;
PrincipalName client;
PrincipalName server;
EncryptionKey key;
TicketFlags flags;
KerberosTime authTime;
KerberosTime startTime;
KerberosTime endTime;
KerberosTime renewTill;
HostAddresses cAddr;
EncryptionKey serviceKey;
AuthorizationData authzData;
private static boolean DEBUG = Krb5.DEBUG;
private static CredentialsCache cache;
static boolean alreadyLoaded = false;
private static boolean alreadyTried = false;
private static native Credentials acquireDefaultNativeCreds();
public Credentials(Ticket new_ticket,
PrincipalName new_client,
PrincipalName new_server,
EncryptionKey new_key,
TicketFlags new_flags,
KerberosTime authTime,
KerberosTime new_startTime,
KerberosTime new_endTime,
KerberosTime renewTill,
HostAddresses cAddr,
AuthorizationData authzData) {
this(new_ticket, new_client, new_server, new_key, new_flags,
authTime, new_startTime, new_endTime, renewTill, cAddr);
this.authzData = authzData;
}
public Credentials(Ticket new_ticket,
PrincipalName new_client,
PrincipalName new_server,
EncryptionKey new_key,
TicketFlags new_flags,
KerberosTime authTime,
KerberosTime new_startTime,
KerberosTime new_endTime,
KerberosTime renewTill,
HostAddresses cAddr) {
ticket = new_ticket;
client = new_client;
server = new_server;
key = new_key;
flags = new_flags;
this.authTime = authTime;
startTime = new_startTime;
endTime = new_endTime;
this.renewTill = renewTill;
this.cAddr = cAddr;
}
public Credentials(byte[] encoding,
String client,
String server,
byte[] keyBytes,
int keyType,
boolean[] flags,
Date authTime,
Date startTime,
Date endTime,
Date renewTill,
InetAddress[] cAddrs) throws KrbException, IOException {
this(new Ticket(encoding),
new PrincipalName(client, PrincipalName.KRB_NT_PRINCIPAL),
new PrincipalName(server, PrincipalName.KRB_NT_SRV_INST),
new EncryptionKey(keyType, keyBytes),
(flags == null? null: new TicketFlags(flags)),
(authTime == null? null: new KerberosTime(authTime)),
(startTime == null? null: new KerberosTime(startTime)),
(endTime == null? null: new KerberosTime(endTime)),
(renewTill == null? null: new KerberosTime(renewTill)),
null); // caddrs are in the encoding at this point
}
/**
* Acquires a service ticket for the specified service
* principal. If the service ticket is not already available, it
* obtains a new one from the KDC.
*/
/*
public Credentials(Credentials tgt, PrincipalName service)
throws KrbException {
}
*/
public final PrincipalName getClient() {
return client;
}
public final PrincipalName getServer() {
return server;
}
public final EncryptionKey getSessionKey() {
return key;
}
public final Date getAuthTime() {
if (authTime != null) {
return authTime.toDate();
} else {
return null;
}
}
public final Date getStartTime() {
if (startTime != null)
{
return startTime.toDate();
}
return null;
}
public final Date getEndTime() {
if (endTime != null)
{
return endTime.toDate();
}
return null;
}
public final Date getRenewTill() {
if (renewTill != null)
{
return renewTill.toDate();
}
return null;
}
public final boolean[] getFlags() {
if (flags == null) // Can be in a KRB-CRED
return null;
return flags.toBooleanArray();
}
public final InetAddress[] getClientAddresses() {
if (cAddr == null)
return null;
return cAddr.getInetAddresses();
}
public final byte[] getEncoded() {
byte[] retVal = null;
try {
retVal = ticket.asn1Encode();
} catch (Asn1Exception e) {
if (DEBUG)
System.out.println(e);
} catch (IOException ioe) {
if (DEBUG)
System.out.println(ioe);
}
return retVal;
}
public boolean isForwardable() {
return flags.get(Krb5.TKT_OPTS_FORWARDABLE);
}
public boolean isRenewable() {
return flags.get(Krb5.TKT_OPTS_RENEWABLE);
}
public Ticket getTicket() {
return ticket;
}
public TicketFlags getTicketFlags() {
return flags;
}
public AuthorizationData getAuthzData() {
return authzData;
}
/**
* Checks if the service ticket returned by the KDC has the OK-AS-DELEGATE
* flag set
* @return true if OK-AS_DELEGATE flag is set, otherwise, return false.
*/
public boolean checkDelegate() {
return flags.get(Krb5.TKT_OPTS_DELEGATE);
}
/**
* Reset TKT_OPTS_DELEGATE to false, called at credentials acquirement
* when one of the cross-realm TGTs does not have the OK-AS-DELEGATE
* flag set. This info must be preservable and restorable through
* the Krb5Util.credsToTicket/ticketToCreds() methods so that even if
* the service ticket is cached it still remembers the cross-realm
* authentication result.
*/
public void resetDelegate() {
flags.set(Krb5.TKT_OPTS_DELEGATE, false);
}
public Credentials renew() throws KrbException, IOException {
KDCOptions options = new KDCOptions();
options.set(KDCOptions.RENEW, true);
/*
* Added here to pass KrbKdcRep.check:73
*/
options.set(KDCOptions.RENEWABLE, true);
return new KrbTgsReq(options,
this,
server,
null, // from
null, // till
null, // rtime
null, // eTypes
cAddr,
null,
null,
null).sendAndGetCreds();
}
/**
* Returns a TGT for the given client principal from a ticket cache.
*
* @param princ the client principal. A value of null means that the
* default principal name in the credentials cache will be used.
* @param ticketCache the path to the tickets file. A value
* of null will be accepted to indicate that the default
* path should be searched
* @returns the TGT credentials or null if none were found. If the tgt
* expired, it is the responsibility of the caller to determine this.
*/
public static Credentials acquireTGTFromCache(PrincipalName princ,
String ticketCache)
throws KrbException, IOException {
if (ticketCache == null) {
// The default ticket cache on Windows is not a file.
String os = java.security.AccessController.doPrivileged(
new sun.security.action.GetPropertyAction("os.name"));
if (os.toUpperCase().startsWith("WINDOWS")) {
Credentials creds = acquireDefaultCreds();
if (creds == null) {
if (DEBUG) {
System.out.println(">>> Found no TGT's in LSA");
}
return null;
}
if (princ != null) {
if (creds.getClient().equals(princ)) {
if (DEBUG) {
System.out.println(">>> Obtained TGT from LSA: "
+ creds);
}
return creds;
} else {
if (DEBUG) {
System.out.println(">>> LSA contains TGT for "
+ creds.getClient()
+ " not "
+ princ);
}
return null;
}
} else {
if (DEBUG) {
System.out.println(">>> Obtained TGT from LSA: "
+ creds);
}
return creds;
}
}
}
/*
* Returns the appropriate cache. If ticketCache is null, it is the
* default cache otherwise it is the cache filename contained in it.
*/
CredentialsCache ccache =
CredentialsCache.getInstance(princ, ticketCache);
if (ccache == null)
return null;
sun.security.krb5.internal.ccache.Credentials tgtCred =
ccache.getDefaultCreds();
if (EType.isSupported(tgtCred.getEType())) {
return tgtCred.setKrbCreds();
} else {
if (DEBUG) {
System.out.println(
">>> unsupported key type found the default TGT: " +
tgtCred.getEType());
}
return null;
}
}
/**
* Returns a TGT for the given client principal via an AS-Exchange.
* This method causes pre-authentication data to be sent in the
* AS-REQ.
*
* @param princ the client principal. This value cannot be null.
* @param secretKey the secret key of the client principal.This value
* cannot be null.
* @returns the TGT credentials
*/
public static Credentials acquireTGT(PrincipalName princ,
EncryptionKey[] secretKeys,
char[] password)
throws KrbException, IOException {
if (princ == null)
throw new IllegalArgumentException(
"Cannot have null principal to do AS-Exchange");
if (secretKeys == null)
throw new IllegalArgumentException(
"Cannot have null secretKey to do AS-Exchange");
KrbAsRep asRep = null;
try {
asRep = sendASRequest(princ, secretKeys, null);
} catch (KrbException ke) {
if ((ke.returnCode() == Krb5.KDC_ERR_PREAUTH_FAILED) ||
(ke.returnCode() == Krb5.KDC_ERR_PREAUTH_REQUIRED)) {
// process pre-auth info
if (DEBUG) {
System.out.println("AcquireTGT: PREAUTH FAILED/REQUIRED," +
" re-send AS-REQ");
}
KRBError error = ke.getError();
// update salt in PrincipalName
String newSalt = error.getSalt();
if (newSalt != null && newSalt.length() > 0) {
princ.setSalt(newSalt);
}
// refresh keys
if (password != null) {
secretKeys = EncryptionKey.acquireSecretKeys(password,
princ.getSalt(), true,
error.getEType(), error.getParams());
}
asRep = sendASRequest(princ, secretKeys, ke.getError());
} else {
throw ke;
}
}
return asRep.getCreds();
}
/**
* Sends the AS-REQ
*/
private static KrbAsRep sendASRequest(PrincipalName princ,
EncryptionKey[] secretKeys, KRBError error)
throws KrbException, IOException {
// %%%
KrbAsReq asReq = null;
if (error == null) {
asReq = new KrbAsReq(princ, secretKeys);
} else {
asReq = new KrbAsReq(princ, secretKeys, true,
error.getEType(), error.getSalt(), error.getParams());
}
String kdc = null;
KrbAsRep asRep = null;
try {
kdc = asReq.send();
asRep = asReq.getReply(secretKeys);
} catch (KrbException ke) {
if (ke.returnCode() == Krb5.KRB_ERR_RESPONSE_TOO_BIG) {
asReq.send(princ.getRealmString(), kdc, true);
asRep = asReq.getReply(secretKeys);
} else {
throw ke;
}
}
return asRep;
}
/**
* Acquires default credentials.
* <br>The possible locations for default credentials cache is searched in
* the following order:
* <ol>
* <li> The directory and cache file name specified by "KRB5CCNAME" system.
* property.
* <li> The directory and cache file name specified by "KRB5CCNAME"
* environment variable.
* <li> A cache file named krb5cc_{user.name} at {user.home} directory.
* </ol>
* @return a <code>KrbCreds</code> object if the credential is found,
* otherwise return null.
*/
// this method is intentionally changed to not check if the caller's
// principal name matches cache file's principal name.
// It assumes that the GSS call has
// the privilege to access the default cache file.
public static synchronized Credentials acquireDefaultCreds() {
Credentials result = null;
if (cache == null) {
cache = CredentialsCache.getInstance();
}
if (cache != null) {
if (DEBUG) {
System.out.println(">>> KrbCreds found the default ticket " +
"granting ticket in credential cache.");
}
sun.security.krb5.internal.ccache.Credentials temp =
cache.getDefaultCreds();
if (EType.isSupported(temp.getEType())) {
result = temp.setKrbCreds();
} else {
if (DEBUG) {
System.out.println(
">>> unsupported key type found the default TGT: " +
temp.getEType());
}
}
}
if (result == null) {
// Doesn't seem to be a default cache on this system or
// TGT has unsupported encryption type
if (!alreadyTried) {
// See if there's any native code to load
try {
ensureLoaded();
} catch (Exception e) {
if (DEBUG) {
System.out.println("Can not load credentials cache");
e.printStackTrace();
}
alreadyTried = true;
}
}
if (alreadyLoaded) {
// There is some native code
if (DEBUG)
System.out.println(">> Acquire default native Credentials");
result = acquireDefaultNativeCreds();
// only TGT with DES key will be returned by native method
}
}
return result;
}
/**
* Gets service credential from key table. The credential is used to
* decrypt the received client message
* and authenticate the client by verifying the client's credential.
*
* @param serviceName the name of service, using format component@realm
* @param keyTabFile the file of key table.
* @return a <code>KrbCreds</code> object.
*/
public static Credentials getServiceCreds(String serviceName,
File keyTabFile) {
EncryptionKey k = null;
PrincipalName service = null;
Credentials result = null;
try {
service = new PrincipalName(serviceName);
if (service.getRealm() == null) {
String realm = Config.getInstance().getDefaultRealm();
if (realm == null) {
return null;
} else {
service.setRealm(realm);
}
}
} catch (RealmException e) {
if (DEBUG) {
e.printStackTrace();
}
return null;
} catch (KrbException e) {
if (DEBUG) {
e.printStackTrace();
}
return null;
}
KeyTab kt;
if (keyTabFile == null) {
kt = KeyTab.getInstance();
} else {
kt = KeyTab.getInstance(keyTabFile);
}
if ((kt != null) && (kt.findServiceEntry(service))) {
k = kt.readServiceKey(service);
result = new Credentials(null, service, null, null, null,
null, null, null, null, null);
result.serviceKey = k;
}
return result;
}
/**
* Acquires credentials for a specified service using initial credential.
* When the service has a different realm
* from the initial credential, we do cross-realm authentication
* - first, we use the current credential to get
* a cross-realm credential from the local KDC, then use that
* cross-realm credential to request service credential
* from the foreigh KDC.
*
* @param service the name of service principal using format
* components@realm
* @param ccreds client's initial credential.
* @exception IOException if an error occurs in reading the credentials
* cache
* @exception KrbException if an error occurs specific to Kerberos
* @return a <code>Credentials</code> object.
*/
public static Credentials acquireServiceCreds(String service,
Credentials ccreds)
throws KrbException, IOException {
return CredentialsUtil.acquireServiceCreds(service, ccreds);
}
/*
* This method does the real job to request the service credential.
*/
private static Credentials serviceCreds(ServiceName service,
Credentials ccreds)
throws KrbException, IOException {
return new KrbTgsReq(
new KDCOptions(),
ccreds,
service,
null, // KerberosTime from
null, // KerberosTime till
null, // KerberosTime rtime
null, // int[] eTypes
null, // HostAddresses addresses
null, // AuthorizationData
null, // Ticket[] additionalTickets
null // EncryptionKey subSessionKey
).sendAndGetCreds();
}
public CredentialsCache getCache() {
return cache;
}
public EncryptionKey getServiceKey() {
return serviceKey;
}
/*
* Prints out debug info.
*/
public static void printDebug(Credentials c) {
System.out.println(">>> DEBUG: ----Credentials----");
System.out.println("\tclient: " + c.client.toString());
System.out.println("\tserver: " + c.server.toString());
System.out.println("\tticket: realm: " + c.ticket.realm.toString());
System.out.println("\t sname: " + c.ticket.sname.toString());
if (c.startTime != null) {
System.out.println("\tstartTime: " + c.startTime.getTime());
}
System.out.println("\tendTime: " + c.endTime.getTime());
System.out.println(" ----Credentials end----");
}
static void ensureLoaded() {
java.security.AccessController.doPrivileged(
new java.security.PrivilegedAction<Void> () {
public Void run() {
System.loadLibrary("w2k_lsa_auth");
return null;
}
});
alreadyLoaded = true;
}
public String toString() {
StringBuffer buffer = new StringBuffer("Credentials:");
buffer.append("\nclient=").append(client);
buffer.append("\nserver=").append(server);
if (authTime != null) {
buffer.append("\nauthTime=").append(authTime);
}
if (startTime != null) {
buffer.append("\nstartTime=").append(startTime);
}
buffer.append("\nendTime=").append(endTime);
buffer.append("\nrenewTill=").append(renewTill);
buffer.append("\nflags: ").append(flags);
buffer.append("\nEType (int): ").append(key.getEType());
return buffer.toString();
}
}