/*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
/**
* Utilities for obtaining and converting Kerberos tickets.
*
*/
public class Krb5Util {
static final boolean DEBUG =
("sun.security.krb5.debug")).booleanValue();
/**
* Default constructor
*/
}
/**
* Retrieve the service ticket for serverPrincipal from caller's Subject
* or from Subject obtained by logging in, or if not found, via the
* Ticket Granting Service using the TGT obtained from the Subject.
*
* Caller must have permission to:
* - access and update Subject's private credentials
* - create LoginContext
* - read the auth.login.defaultCallbackHandler security property
*
* NOTE: This method is used by JSSE Kerberos Cipher Suites
*/
// 1. Try to find service ticket in acc subject
return ticket; // found it
}
// 2. Try to get ticket from login
try {
return ticket; // found it
}
} catch (LoginException e) {
// No login entry to use
// ignore and continue
}
}
// Service ticket not found in subject or login
// Try to get TGT to acquire service ticket
// 3. Try to get TGT from acc subject
boolean fromAcc;
// 4. Try to get TGT from login subject
fromAcc = false;
} else {
fromAcc = true;
}
// 5. Try to get service ticket using TGT
if (serviceCreds != null) {
// Store service ticket in acc's Subject
}
}
}
return ticket;
}
/**
* pair from the Subject in the specified AccessControlContext.
* If the ticket can not be found in the Subject, and if
* useSubjectCredsOnly is false, then obtain ticket from
* a LoginContext.
*/
// Try to get ticket from acc's Subject
KerberosTicket.class);
// Try to get ticket from Subject obtained from GSSUtil
}
return ticket;
}
/**
* Retrieves the caller's Subject, or Subject obtained by logging in
* via the specified caller.
*
* Caller must have permission to:
* - access the Subject
* - create LoginContext
* - read the auth.login.defaultCallbackHandler security property
*
* NOTE: This method is used by JSSE Kerberos Cipher Suites
*/
// Try to get the Subject from acc
// Try to get Subject obtained from GSSUtil
}
return subject;
}
// A special KerberosKey, used as keys read from a KeyTab object.
// Each time new keys are read from KeyTab objects in the private
// credentials set, old ones are removed and new ones added.
}
}
/**
* Credentials of a service, the private secret to authenticate its
* identity, which can be:
* 1. Some KerberosKeys (generated from password)
* 2. A KeyTab (for a typical service)
* 3. A TGT (for a user2user service. Not supported yet)
*
* Note that some creds can coexist. For example, a user2user service
* can use its keytab (or keys) if the client can successfully obtain a
* normal service ticket, otherwise, it can uses the TGT (actually, the
* session key of the TGT) if the client can only acquire a service ticket
* of ENC-TKT-IN-SKEY style.
*/
public static class ServiceCreds {
//private KerberosTicket tgt; // user2user, not supported yet
if (serverPrincipal == null ||
serverPrincipal = p.getName();
break;
}
}
// Compatibility with old behavior: even when there is no
// KerberosPrincipal, we can find one from KerberosKeys
if (DEBUG) {
+ " find one from kk: " + serverPrincipal);
}
} else {
return null;
}
}
return null;
}
return sc;
}
}
} else {
}
}
// Compatibility: also add keys to privCredSet. Remove old
// ones first, only remove those from keytab.
if (!subj.isReadOnly()) {
synchronized (pcs) {
if (obj instanceof KeysFromKeyTab) {
}
}
}
}
}
}
}
}
ekeys[i] = new EncryptionKey(
}
return ekeys;
}
public void destroy() {
}
}
/**
* Retrieves the ServiceCreds for the specified server principal from
* the Subject in the specified AccessControlContext. If not found, and if
* useSubjectCredsOnly is false, then obtain from a LoginContext.
*
* NOTE: This method is also used by JSSE Kerberos Cipher Suites
*/
throws LoginException {
}
}
return sc;
}
return new KerberosTicket(
};
throws KrbException, IOException {
return new Credentials(
}
/**
* A helper method to get EncryptionKeys from a javax..KeyTab
* @param ktab the javax..KeyTab class
* @param cname the PrincipalName
* @return the EKeys, never null, might be empty
*/
}
}