security/krb5/KrbCred.java

0N/A/*
2551N/A * Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
0N/A * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
0N/A *
0N/A * This code is free software; you can redistribute it and/or modify it
0N/A * under the terms of the GNU General Public License version 2 only, as
2362N/A * published by the Free Software Foundation.  Oracle designates this
0N/A * particular file as subject to the "Classpath" exception as provided
2362N/A * by Oracle in the LICENSE file that accompanied this code.
0N/A *
0N/A * This code is distributed in the hope that it will be useful, but WITHOUT
0N/A * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
0N/A * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
0N/A * version 2 for more details (a copy is included in the LICENSE file that
0N/A * accompanied this code).
0N/A *
0N/A * You should have received a copy of the GNU General Public License version
0N/A * 2 along with this work; if not, write to the Free Software Foundation,
0N/A * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
0N/A *
2362N/A * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
2362N/A * or visit www.oracle.com if you need additional information or have any
2362N/A * questions.
0N/A */
0N/A
0N/A/*
0N/A *
0N/A *  (C) Copyright IBM Corp. 1999 All Rights Reserved.
0N/A *  Copyright 1997 The Open Group Research Institute.  All rights reserved.
0N/A */
0N/A
0N/Apackage sun.security.krb5;
0N/A
0N/Aimport sun.security.krb5.internal.*;
0N/Aimport sun.security.krb5.internal.crypto.KeyUsage;
0N/Aimport java.io.IOException;
0N/Aimport sun.security.util.DerValue;
0N/A
0N/A/**
0N/A * This class encapsulates the KRB-CRED message that a client uses to
0N/A * send its delegated credentials to a server.
0N/A *
0N/A * Supports delegation of one ticket only.
0N/A * @author Mayank Upadhyay
0N/A */
0N/Apublic class KrbCred {
0N/A
0N/A    private static boolean DEBUG = Krb5.DEBUG;
0N/A
0N/A    private byte[] obuf = null;
0N/A    private KRBCred credMessg = null;
0N/A    private Ticket ticket = null;
0N/A    private EncKrbCredPart encPart = null;
0N/A    private Credentials creds = null;
0N/A    private KerberosTime timeStamp = null;
0N/A
0N/A         // Used in InitialToken with null key
0N/A    public KrbCred(Credentials tgt,
0N/A                   Credentials serviceTicket,
0N/A                   EncryptionKey key)
0N/A        throws KrbException, IOException {
0N/A
0N/A        PrincipalName client = tgt.getClient();
0N/A        PrincipalName tgService = tgt.getServer();
0N/A        PrincipalName server = serviceTicket.getServer();
0N/A        if (!serviceTicket.getClient().equals(client))
0N/A            throw new KrbException(Krb5.KRB_ERR_GENERIC,
0N/A                                "Client principal does not match");
0N/A
0N/A        // XXX Check Windows flag OK-TO-FORWARD-TO
0N/A
0N/A        // Invoke TGS-REQ to get a forwarded TGT for the peer
0N/A
0N/A        KDCOptions options = new KDCOptions();
0N/A        options.set(KDCOptions.FORWARDED, true);
0N/A        options.set(KDCOptions.FORWARDABLE, true);
0N/A
0N/A        HostAddresses sAddrs = null;
0N/A        // XXX Also NT_GSS_KRB5_PRINCIPAL can be a host based principal
0N/A        // GSSName.NT_HOSTBASED_SERVICE should display with KRB_NT_SRV_HST
0N/A        if (server.getNameType() == PrincipalName.KRB_NT_SRV_HST)
0N/A            sAddrs=  new HostAddresses(server);
0N/A
0N/A        KrbTgsReq tgsReq = new KrbTgsReq(options, tgt, tgService,
0N/A                                         null, null, null, null, sAddrs, null, null, null);
0N/A        credMessg = createMessage(tgsReq.sendAndGetCreds(), key);
0N/A
0N/A        obuf = credMessg.asn1Encode();
0N/A    }
0N/A
0N/A    KRBCred createMessage(Credentials delegatedCreds, EncryptionKey key)
0N/A        throws KrbException, IOException {
0N/A
0N/A        EncryptionKey sessionKey
0N/A            = delegatedCreds.getSessionKey();
0N/A        PrincipalName princ = delegatedCreds.getClient();
0N/A        Realm realm = princ.getRealm();
0N/A        PrincipalName tgService = delegatedCreds.getServer();
0N/A        Realm tgsRealm = tgService.getRealm();
0N/A
0N/A        KrbCredInfo credInfo = new KrbCredInfo(sessionKey, realm,
0N/A                                               princ, delegatedCreds.flags, delegatedCreds.authTime,
0N/A                                               delegatedCreds.startTime, delegatedCreds.endTime,
0N/A                                               delegatedCreds.renewTill, tgsRealm, tgService,
0N/A                                               delegatedCreds.cAddr);
0N/A
0N/A        timeStamp = new KerberosTime(KerberosTime.NOW);
0N/A        KrbCredInfo[] credInfos = {credInfo};
0N/A        EncKrbCredPart encPart =
0N/A            new EncKrbCredPart(credInfos,
0N/A                               timeStamp, null, null, null, null);
0N/A
0N/A        EncryptedData encEncPart = new EncryptedData(key,
0N/A            encPart.asn1Encode(), KeyUsage.KU_ENC_KRB_CRED_PART);
0N/A
0N/A        Ticket[] tickets = {delegatedCreds.ticket};
0N/A
0N/A        credMessg = new KRBCred(tickets, encEncPart);
0N/A
0N/A        return credMessg;
0N/A    }
0N/A
0N/A         // Used in InitialToken, key always NULL_KEY
0N/A    public KrbCred(byte[] asn1Message, EncryptionKey key)
0N/A        throws KrbException, IOException {
0N/A
0N/A        credMessg = new KRBCred(asn1Message);
0N/A
0N/A        ticket = credMessg.tickets[0];
0N/A
0N/A        byte[] temp = credMessg.encPart.decrypt(key,
0N/A            KeyUsage.KU_ENC_KRB_CRED_PART);
2551N/A        byte[] plainText = credMessg.encPart.reset(temp);
0N/A        DerValue encoding = new DerValue(plainText);
0N/A        EncKrbCredPart encPart = new EncKrbCredPart(encoding);
0N/A
0N/A        timeStamp = encPart.timeStamp;
0N/A
0N/A        KrbCredInfo credInfo = encPart.ticketInfo[0];
0N/A        EncryptionKey credInfoKey = credInfo.key;
0N/A        Realm prealm = credInfo.prealm;
0N/A        // XXX PrincipalName can store realm + principalname or
0N/A        // just principal name.
0N/A        PrincipalName pname = credInfo.pname;
0N/A        pname.setRealm(prealm);
0N/A        TicketFlags flags = credInfo.flags;
0N/A        KerberosTime authtime = credInfo.authtime;
0N/A        KerberosTime starttime = credInfo.starttime;
0N/A        KerberosTime endtime = credInfo.endtime;
0N/A        KerberosTime renewTill = credInfo.renewTill;
0N/A        Realm srealm = credInfo.srealm;
0N/A        PrincipalName sname = credInfo.sname;
0N/A        sname.setRealm(srealm);
0N/A        HostAddresses caddr = credInfo.caddr;
0N/A
0N/A        if (DEBUG) {
0N/A            System.out.println(">>>Delegated Creds have pname=" + pname
0N/A                               + " sname=" + sname
0N/A                               + " authtime=" + authtime
0N/A                               + " starttime=" + starttime
0N/A                               + " endtime=" + endtime
0N/A                               + "renewTill=" + renewTill);
0N/A        }
0N/A        creds = new Credentials(ticket, pname, sname, credInfoKey,
0N/A                                flags, authtime, starttime, endtime, renewTill, caddr);
0N/A    }
0N/A
0N/A    /**
0N/A     * Returns the delegated credentials from the peer.
0N/A     */
0N/A    public Credentials[] getDelegatedCreds() {
0N/A
0N/A        Credentials[] allCreds = {creds};
0N/A        return allCreds;
0N/A    }
0N/A
0N/A    /**
0N/A     * Returns the ASN.1 encoding that should be sent to the peer.
0N/A     */
0N/A    public byte[] getMessage() {
0N/A        return obuf;
0N/A    }
0N/A}