/*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
/*
*
* (C) Copyright IBM Corp. 1999 All Rights Reserved.
* Copyright 1997 The Open Group Research Institute. All rights reserved.
*/
/**
* This class encapsulates the concept of an EncryptionKey. An encryption
* key is defined in RFC 4120 as:
*
* EncryptionKey ::= SEQUENCE {
* keytype [0] Int32 -- actually encryption type --,
* keyvalue [1] OCTET STRING
* }
*
* keytype
* This field specifies the encryption type of the encryption key
* that follows in the keyvalue field. Although its name is
* "keytype", it actually specifies an encryption type. Previously,
* multiple cryptosystems that performed encryption differently but
* were capable of using keys with the same characteristics were
* permitted to share an assigned number to designate the type of
* key; this usage is now deprecated.
*
* keyvalue
* This field contains the key itself, encoded as an octet string.
*/
public class EncryptionKey
implements Cloneable {
private int keyType;
private byte[] keyValue;
public synchronized int getEType() {
return keyType;
}
return kvno;
}
/**
* Returns the raw key bytes, not in any ASN.1 encoding.
*/
public final byte[] getBytes() {
// This method cannot be called outside sun.security, hence no
// cloning. getEncoded() calls this method.
return keyValue;
}
}
/**
* Obtains the latest version of the secret key of
* the principal from a keytab.
*
* @param princ the principal whose secret key is desired
* @param keytab the path to the keytab file. A value of null
* will be accepted to indicate that the default path should be
* searched.
* @returns the secret key or null if none was found.
*/
/*
// Replaced by acquireSecretKeys
public static EncryptionKey acquireSecretKey(PrincipalName princ,
String keytab)
throws KrbException, IOException {
if (princ == null) {
throw new IllegalArgumentException(
"Cannot have null pricipal name to look in keytab.");
}
KeyTab ktab = KeyTab.getInstance(keytab);
if (ktab == null)
return null;
return ktab.readServiceKey(princ);
}
*/
/**
* Obtains all versions of the secret key of the principal from a
* keytab.
*
* @Param princ the principal whose secret key is desired
* @param keytab the path to the keytab file. A value of null
* will be accepted to indicate that the default path should be
* searched.
* @returns an array of secret keys or null if none were found.
*/
throw new IllegalArgumentException(
"Cannot have null pricipal name to look in keytab.");
// KeyTab getInstance(keytab) will call KeyTab.getInstance()
// if keytab is null
}
/**
* Obtains a key for a given etype of a principal with possible new salt
* and s2kparams
* @param cname NOT null
* @param password NOT null
* @param etype
* @param snp can be NULL
* @returns never null
*/
throws KrbException {
byte[] s2kparams;
} else {
}
}
/**
* Obtains a key for a given etype with salt and optional s2kparams
* @param password NOT null
* @param salt NOT null
* @param etype
* @param s2kparams can be NULL
* @returns never null
*/
throws KrbException {
return new EncryptionKey(
}
/**
* Generate a list of keys using the given principal and password.
* Construct a key for each configured etype.
* Caller is responsible for clearing password.
*/
/*
* Usually, when keyType is decoded from ASN.1 it will contain a
* value indicating what the algorithm to be used is. However, when
* converting from a password to a key for the AS-EXCHANGE, this
* keyType will not be available. Use builtin list of default etypes
* as the default in that case. If default_tkt_enctypes was set in
* the libdefaults of krb5.conf, then use that sequence.
*/
}
encKeys[i] = new EncryptionKey(
} else {
if (DEBUG) {
}
}
}
return encKeys;
}
// Used in Krb5AcceptCredential, self
int keyType,
} else {
throw new IllegalArgumentException("EncryptionKey: " +
"Key bytes cannot be null!");
}
}
/**
* Constructs an EncryptionKey by using the specified key type and key
* value. It is used to recover the key when retrieving data from
* credential cache file.
*
*/
// Used in JSSE (KerberosWrapper), Credentials,
// javax.security.auth.kerberos.KeyImpl
byte[] keyValue) {
}
try {
switch (keyType) {
default:
throw new IllegalArgumentException("encryption type " +
}
} catch (GeneralSecurityException e) {
throw ke;
} finally {
}
}
// Used in javax.security.auth.kerberos.KeyImpl
// validate if AES256 is enabled
" not enabled");
}
} else {
" not supported");
}
}
/**
* Generates a sub-sessionkey from a given session key.
*/
// Used in KrbApRep, KrbApReq
// generate random sub-session key
}
// check for key parity and weak keys
try {
// check for DES key
// fix DES key parity
}
// check for weak key
}
}
// check for 3DES key
// fix 3DES key parity
}
// check for weak keys
byte[] oneKey = new byte[8];
}
}
}
} catch (GeneralSecurityException e) {
throw ke;
}
}
/**
* Constructs an instance of EncryptionKey type.
* @param encoding a single DER-encoded value.
* @exception Asn1Exception if an error occurs while decoding an ASN1
* encoded data.
* @exception IOException if an I/O error occurs while reading encoded
* data.
*
*
*/
// Used in javax.security.auth.kerberos.KeyImpl
}
}
else
}
else
}
}
/**
* Returns the ASN.1 encoding of this EncryptionKey.
*
* <xmp>
* EncryptionKey ::= SEQUENCE {
* keytype[0] INTEGER,
* keyvalue[1] OCTET STRING }
* </xmp>
*
* <p>
* This definition reflects the Network Working Group RFC 4120
* specification available at
* <a href="http://www.ietf.org/rfc/rfc4120.txt">
*
* @return byte array of encoded EncryptionKey object.
* @exception Asn1Exception if an error occurs while decoding an ASN1
* encoded data.
* @exception IOException if an I/O error occurs while reading encoded
* data.
*
*/
(byte)0x00), temp);
temp = new DerOutputStream();
(byte)0x01), temp);
temp = new DerOutputStream();
return temp.toByteArray();
}
public synchronized void destroy() {
keyValue[i] = 0;
}
/**
* Parse (unmarshal) an Encryption key from a DER input stream. This form
* parsing might be used when expanding a value which is part of
* a constructed sequence and uses explicitly tagged type.
*
* @param data the Der input stream value, which contains one or more
* marshaled value.
* @param explicitTag tag number.
* @param optional indicate if this data field is optional
* @exception Asn1Exception if an error occurs while decoding an ASN1
* encoded data.
* @exception IOException if an I/O error occurs while reading encoded
* data.
* @return an instance of EncryptionKey.
*
*/
explicitTag, boolean optional) throws
explicitTag)) {
return null;
}
} else {
return new EncryptionKey(subDer);
}
}
/**
* Writes key value in FCC format to a <code>CCacheOutputStream</code>.
*
* @param cos a <code>CCacheOutputStream</code> to be written to.
* @exception IOException if an I/O exception occurs.
* @see sun.security.krb5.internal.ccache.CCacheOutputStream
*
*/
throws IOException {
// we use KRB5_FCC_FVNO_3
}
}
+ " kvno=" + kvno
+ " keyValue (hex dump)="
" Empty Key" : '\n'
+ '\n'));
}
/**
* Find a key with given etype
*/
throws KrbException {
}
/**
* Determines if a kvno matches another kvno. Used in the method
* findKey(type, kvno, keys). Always returns true if either input
* is null or zero, in case any side does not have kvno info available.
*
* Note: zero is included because N/A is not a legal value for kvno
* in javax.security.auth.kerberos.KerberosKey. Therefore, the info
* that the kvno is N/A might be lost when converting between this
* class and KerberosKey.
*/
return true;
}
}
/**
* Find a key with given etype and kvno
* @param kvno if null, return any (first?) key
*/
throws KrbException {
// check if encryption type is supported
throw new KrbException("Encryption type " +
}
int ktype;
boolean etypeFound = false;
etypeFound = true;
return keys[i];
}
}
}
}
// Key not found.
// allow DES key to be used for the DES etypes
etypeFound = true;
}
}
}
}
if (etypeFound) {
}
return null;
}
}