4102N/A * Copyright (c) 2010, 2011, Oracle and/or its affiliates. All rights reserved. 3054N/A * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 3054N/A * This code is free software; you can redistribute it and/or modify it 3054N/A * under the terms of the GNU General Public License version 2 only, as 3054N/A * published by the Free Software Foundation. Oracle designates this 3054N/A * particular file as subject to the "Classpath" exception as provided 3054N/A * by Oracle in the LICENSE file that accompanied this code. 3054N/A * This code is distributed in the hope that it will be useful, but WITHOUT 3054N/A * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 3054N/A * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 3054N/A * version 2 for more details (a copy is included in the LICENSE file that 3054N/A * You should have received a copy of the GNU General Public License version 3054N/A * 2 along with this work; if not, write to the Free Software Foundation, 3054N/A * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 3054N/A * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 3054N/A * or visit www.oracle.com if you need additional information or have any 3054N/A * A manager class for AS-REQ communications. 3054N/A * 1. Gather information to create AS-REQ 3054N/A * 2. Create and send AS-REQ 3054N/A * 3. Receive AS-REP and KRB-ERROR (-KRB_ERR_RESPONSE_TOO_BIG) and parse them 4102N/A * 4. Emit credentials and secret keys (for JAAS storeKey=true with password) 3054N/A * 1. Deal with real communications (KdcComm does it, and TGS-REQ) 3054N/A * a. Name of KDCs for a realm 3054N/A * b. Server availability, timeout, UDP or TCP 3054N/A * d. KRB_ERR_RESPONSE_TOO_BIG 4102N/A * 2. Stores its own copy of password, this means: 4102N/A * b. Builder will not wipe it for you 3054N/A * 1. KrbAsReq has only one constructor 3054N/A * 2. Krb5LoginModule and Kinit call a single builder 3054N/A * 3. Better handling of sensitive info 3054N/A // Common data for AS-REQ fields 3054N/A // Secret source: can't be changed once assigned, only one (of the two 4102N/A // sources) can be set to non-null 3054N/A // Used to create a ENC-TIMESTAMP in the 2nd AS-REQ 3054N/A // Only AS-REP should be enough per RFC, 3054N/A // combined in case etypes are different. 3054N/A // The generated and received: 3054N/A INIT,
// Initialized, can still add more initialization info 3054N/A // Called by other constructors 3054N/A * Creates a builder to be used by {@code cname} with existing keys. 3054N/A * @param cname the client of the AS-REQ. Must not be null. Might have no 3054N/A * realm, where default realm will be used. This realm will be the target 3054N/A * realm for AS-REQ. I believe a client should only get initial TGT from 3054N/A * @param keys must not be null. if empty, might be quite useless. 3054N/A * This argument will neither be modified nor stored by the method. 3054N/A * Creates a builder to be used by {@code cname} with a known password. 3054N/A * @param cname the client of the AS-REQ. Must not be null. Might have no 3054N/A * realm, where default realm will be used. This realm will be the target 3054N/A * realm for AS-REQ. I believe a client should only get initial TGT from 3054N/A * @param pass must not be null. This argument will neither be modified 3054N/A * nor stored by the method. 4102N/A * Retrieves an array of secret keys for the client. This is used when 4415N/A * the client supplies password but need keys to act as an acceptor. For 4415N/A * an initiator, it must be called after AS-REQ is performed (state is OK). 4415N/A * For an acceptor, it can be called when this KrbAsReqBuilder object is 4415N/A * constructed (state is INIT). 4415N/A * @param isInitiator if the caller is an initiator 4102N/A * @return generated keys from password. PA-DATA from server might be used. 4102N/A * All "default_tkt_enctypes" keys will be generated, Never null. 4102N/A * @throws IllegalStateException if not constructed from a password 3054N/A * Returns an array of keys. Before KrbAsReqBuilder, all etypes 3054N/A * use the same salt which is either the default one or a new salt 3054N/A * coming from PA-DATA. After KrbAsReqBuilder, each etype uses its 3054N/A * own new salt from PA-DATA. For an etype with no PA-DATA new salt 3054N/A * at all, what salt should it use? 3054N/A * Commonly, the stored keys are only to be used by an acceptor to 3054N/A * decrypt service ticket in AP-REQ. Most impls only allow keys 3054N/A * from a keytab on acceptor, but unfortunately (?) Java supports 3054N/A * acceptor using password. In this case, if the service ticket is 3054N/A * encrypted using an etype which we don't have PA-DATA new salt, 4391N/A * using the default salt might be wrong (say, case-insensitive 3054N/A * user name). Instead, we would use the new salt of another etype. 4391N/A // First round, only calculate those have a PA entry 4391N/A // Never uses a salt for rc4-hmac, it does not use 4391N/A // No new salt from PA, maybe empty, maybe only rc4-hmac 4391N/A // Second round, calculate those with no PA entry 3054N/A * Sets or clears options. If cleared, default options will be used 3054N/A * Sets or clears target. If cleared, KrbAsReq might choose krbtgt 3054N/A * Adds or clears addresses. KrbAsReq might add some if empty 3054N/A * Build a KrbAsReq object from all info fed above. Normally this method 3054N/A * will be called twice: initial AS-REQ and second with pakey 4102N/A * @param key null (initial AS-REQ) or pakey (with preauth) 3054N/A * @return the KrbAsReq object 3054N/A * Parses AS-REP, decrypts enc-part, retrieves ticket and session key 3054N/A * Communication until AS-REP or non preauth-related KRB-ERROR received 3054N/A * Performs AS-REQ send and AS-REP receive. 3054N/A * Maybe a state is needed here, to divide prepare process and getCreds. 3054N/A * Gets Credentials object after action 3054N/A * Gets another type of Credentials after action 3054N/A * Destroys the object and clears keys and password info. 3054N/A * Checks if the current state is the specified one. 3054N/A * @param st the expected state 3054N/A * @param msg error message if state is not correct 3054N/A * @throws IllegalStateException if state is not correct