1753N/A * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. 0N/A * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 0N/A * This code is free software; you can redistribute it and/or modify it 0N/A * under the terms of the GNU General Public License version 2 only, as 0N/A * published by the Free Software Foundation. Oracle designates this 0N/A * particular file as subject to the "Classpath" exception as provided 0N/A * by Oracle in the LICENSE file that accompanied this code. 0N/A * This code is distributed in the hope that it will be useful, but WITHOUT 0N/A * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 0N/A * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 0N/A * version 2 for more details (a copy is included in the LICENSE file that 0N/A * accompanied this code). 0N/A * You should have received a copy of the GNU General Public License version 0N/A * 2 along with this work; if not, write to the Free Software Foundation, 1472N/A * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 1472N/A * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 0N/A * or visit www.oracle.com if you need additional information or have any 2941N/A * This is Kerberos option in the client key exchange message 2941N/A * (CLIENT -> SERVER). It holds the Kerberos ticket and the encrypted 2941N/A * premaster secret encrypted with the session key sealed in the ticket. 2941N/A * opaque authenticator; // optional 2941N/A * opaque EncryptedPreMasterSecret; // encrypted with the session key 2941N/A * // which is sealed in the ticket 2941N/A * Ticket and authenticator are encrypted as per RFC 1510 (in ASN.1) 2941N/A * Encrypted pre-master secret has the same structure as it does for RSA 2941N/A * except for Kerberos, the encryption key is the session key instead of 2941N/A * XXX authenticator currently ignored 2941N/A * Creates an instance of KerberosClientKeyExchange consisting of the 2941N/A * Kerberos service ticket, authenticator and encrypted premaster secret. 2941N/A * Called by client handshaker. 2941N/A * @param serverName name of server with which to do handshake; 2941N/A * this is used to get the Kerberos service ticket 2941N/A * @param protocolVersion Maximum version supported by client (i.e, 2941N/A * version it requested in client hello) 2941N/A * @param rand random number generator to use for generating pre-master 0N/A // Get service ticket 0N/A // Record the Kerberos principals 0N/A // Optional authenticator, encrypted using session key, 0N/A // currently ignored 0N/A // Generate premaster secret and encrypt it using session key 0N/A * Creates an instance of KerberosClientKeyExchange from its ASN.1 encoding. 0N/A * Used by ServerHandshaker to verify and obtain premaster secret. 0N/A * @param protocolVersion current protocol version 0N/A * @param clientVersion version requested by client in its ClientHello; 0N/A * used by premaster secret version check 0N/A * @param rand random number generator used for generating random 0N/A * premaster secret if ticket and/or premaster verification fails 0N/A * @param input inputstream from which to get ASN.1-encoded KerberosWrapper 0N/A * @param serverKey server's master secret key 0N/A * permission to access and use the secret key of the Kerberized 0N/A * "host" service is done in ServerHandshaker.getKerberosKeys() 0N/A * to ensure server has the permission to use the secret key 0N/A * before promising the client 0N/A // Check that ticket Sname matches serverPrincipal 0N/A +
" match associated principal in KerberosKey");
0N/A // See if we have the right key to decrypt the ticket to get 0N/A "Cannot find key matching version number",
ke);
0N/A // %%% Should print string repr of etype 0N/A "Cannot find key of appropriate type to decrypt ticket - need etype " +
0N/A // Decrypt encPart using server's secret key 0N/A // Reset data stream after decryption, remove redundant bytes 0N/A // Record the Kerberos Principals 0N/A // Generate bogus premaster secret 0N/A // get the local hostname if srvName is loopback address 0N/A // Resolve serverName (possibly in IP addr form) to Kerberos principal 0N/A // name for service with hostname 0N/A // check permission to obtain a service ticket to initiate a 0N/A // context with the "host" service 0N/A "Attempt to obtain kerberos service ticket for " +
* Determines if a kvno matches another kvno. Used in the method * findKey(etype, version, keys). Always returns true if either input * is null or zero, in case any side does not have kvno info available. * Note: zero is included because N/A is not a legal value for kvno * in javax.security.auth.kerberos.KerberosKey. Therefore, the info * that the kvno is N/A might be lost when converting between * EncryptionKey and KerberosKey. // %%% kludge to allow DES keys to be used for diff etypes