Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / libcore / 319a3b994703aac84df7bcde272adfcb3cdbbbf0 / . / jdk / src / share / classes / sun / security / jgss / krb5 / Krb5MechFactory.java
blob: 3977777426a42c7833b79e52259c982279b2af01 [file] [log] [blame]
J. Duke319a3b92007-12-01 00:00:00 +0000[diff] [blame^]1/*
2 * Copyright 2000-2006 Sun Microsystems, Inc. All Rights Reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Sun designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Sun in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
22 * CA 95054 USA or visit www.sun.com if you need additional information or
23 * have any questions.
24 */
25
26package sun.security.jgss.krb5;
27
28import org.ietf.jgss.*;
29import sun.security.jgss.GSSUtil;
30import sun.security.jgss.spi.*;
31import javax.security.auth.kerberos.ServicePermission;
32import java.security.Provider;
33import sun.security.util.DerOutputStream;
34import sun.security.util.ObjectIdentifier;
35import java.io.IOException;
36import java.util.Vector;
37
38/**
39 * Krb5 Mechanism plug in for JGSS
40 * This is the properties object required by the JGSS framework.
41 * All mechanism specific information is defined here.
42 *
43 * @author Mayank Upadhyay
44 */
45
46public final class Krb5MechFactory implements MechanismFactory {
47
48 private static final boolean DEBUG = Krb5Util.DEBUG;
49
50 static final Provider PROVIDER =
51 new sun.security.jgss.SunProvider();
52
53 static final Oid GSS_KRB5_MECH_OID =
54 createOid("1.2.840.113554.1.2.2");
55
56 static final Oid NT_GSS_KRB5_PRINCIPAL =
57 createOid("1.2.840.113554.1.2.2.1");
58
59 private static Oid[] nameTypes =
60 new Oid[] { GSSName.NT_USER_NAME,
61 GSSName.NT_HOSTBASED_SERVICE,
62 GSSName.NT_EXPORT_NAME,
63 NT_GSS_KRB5_PRINCIPAL};
64
65 final private int caller;
66
67 private static Krb5CredElement getCredFromSubject(GSSNameSpi name,
68 boolean initiate)
69 throws GSSException {
70 Vector<Krb5CredElement> creds =
71 GSSUtil.searchSubject(name, GSS_KRB5_MECH_OID, initiate,
72 (initiate ?
73 Krb5InitCredential.class :
74 Krb5AcceptCredential.class));
75
76 Krb5CredElement result = ((creds == null || creds.isEmpty()) ?
77 null : creds.firstElement());
78
79 // Force permission check before returning the cred to caller
80 if (result != null) {
81 if (initiate) {
82 checkInitCredPermission((Krb5NameElement) result.getName());
83 } else {
84 checkAcceptCredPermission
85 ((Krb5NameElement) result.getName(), name);
86 }
87 }
88 return result;
89 }
90
91 public Krb5MechFactory(int caller) {
92 this.caller = caller;
93 }
94
95 public GSSNameSpi getNameElement(String nameStr, Oid nameType)
96 throws GSSException {
97 return Krb5NameElement.getInstance(nameStr, nameType);
98 }
99
100 public GSSNameSpi getNameElement(byte[] name, Oid nameType)
101 throws GSSException {
102 // At this point, even an exported name is stripped down to safe
103 // bytes only
104 // XXX Use encoding here
105 return Krb5NameElement.getInstance(new String(name), nameType);
106 }
107
108 public GSSCredentialSpi getCredentialElement(GSSNameSpi name,
109 int initLifetime, int acceptLifetime,
110 int usage) throws GSSException {
111
112 if (name != null && !(name instanceof Krb5NameElement)) {
113 name = Krb5NameElement.getInstance(name.toString(),
114 name.getStringNameType());
115 }
116
117 Krb5CredElement credElement = getCredFromSubject
118 (name, (usage != GSSCredential.ACCEPT_ONLY));
119
120 if (credElement == null) {
121 if (usage == GSSCredential.INITIATE_ONLY ||
122 usage == GSSCredential.INITIATE_AND_ACCEPT) {
123 credElement = Krb5InitCredential.getInstance
124 (caller, (Krb5NameElement) name, initLifetime);
125 checkInitCredPermission
126 ((Krb5NameElement) credElement.getName());
127 } else if (usage == GSSCredential.ACCEPT_ONLY) {
128 credElement =
129 Krb5AcceptCredential.getInstance(caller,
130 (Krb5NameElement) name);
131 checkAcceptCredPermission
132 ((Krb5NameElement) credElement.getName(), name);
133 } else
134 throw new GSSException(GSSException.FAILURE, -1,
135 "Unknown usage mode requested");
136 }
137 return credElement;
138 }
139
140 public static void checkInitCredPermission(Krb5NameElement name) {
141 SecurityManager sm = System.getSecurityManager();
142 if (sm != null) {
143 String realm = (name.getKrb5PrincipalName()).getRealmAsString();
144 String tgsPrincipal =
145 new String("krbtgt/" + realm + '@' + realm);
146 ServicePermission perm =
147 new ServicePermission(tgsPrincipal, "initiate");
148 try {
149 sm.checkPermission(perm);
150 } catch (SecurityException e) {
151 if (DEBUG) {
152 System.out.println("Permission to initiate" +
153 "kerberos init credential" + e.getMessage());
154 }
155 throw e;
156 }
157 }
158 }
159
160 public static void checkAcceptCredPermission(Krb5NameElement name,
161 GSSNameSpi originalName) {
162 SecurityManager sm = System.getSecurityManager();
163 if (sm != null) {
164 ServicePermission perm = new ServicePermission
165 (name.getKrb5PrincipalName().getName(), "accept");
166 try {
167 sm.checkPermission(perm);
168 } catch (SecurityException e) {
169 if (originalName == null) {
170 // Don't disclose the name of the principal
171 e = new SecurityException("No permission to acquire "
172 + "Kerberos accept credential");
173 // Don't call e.initCause() with caught exception
174 }
175 throw e;
176 }
177 }
178 }
179
180 public GSSContextSpi getMechanismContext(GSSNameSpi peer,
181 GSSCredentialSpi myInitiatorCred, int lifetime)
182 throws GSSException {
183 if (peer != null && !(peer instanceof Krb5NameElement)) {
184 peer = Krb5NameElement.getInstance(peer.toString(),
185 peer.getStringNameType());
186 }
187 // XXX Convert myInitiatorCred to Krb5CredElement
188 if (myInitiatorCred == null) {
189 myInitiatorCred = getCredentialElement(null, lifetime, 0,
190 GSSCredential.INITIATE_ONLY);
191 }
192 return new Krb5Context(caller, (Krb5NameElement)peer,
193 (Krb5CredElement)myInitiatorCred, lifetime);
194 }
195
196 public GSSContextSpi getMechanismContext(GSSCredentialSpi myAcceptorCred)
197 throws GSSException {
198 // XXX Convert myAcceptorCred to Krb5CredElement
199 if (myAcceptorCred == null) {
200 myAcceptorCred = getCredentialElement(null, 0,
201 GSSCredential.INDEFINITE_LIFETIME, GSSCredential.ACCEPT_ONLY);
202 }
203 return new Krb5Context(caller, (Krb5CredElement)myAcceptorCred);
204 }
205
206 public GSSContextSpi getMechanismContext(byte[] exportedContext)
207 throws GSSException {
208 return new Krb5Context(caller, exportedContext);
209 }
210
211
212 public final Oid getMechanismOid() {
213 return GSS_KRB5_MECH_OID;
214 }
215
216 public Provider getProvider() {
217 return PROVIDER;
218 }
219
220 public Oid[] getNameTypes() {
221 // nameTypes is cloned in GSSManager.getNamesForMech
222 return nameTypes;
223 }
224
225 private static Oid createOid(String oidStr) {
226 Oid retVal = null;
227 try {
228 retVal = new Oid(oidStr);
229 } catch (GSSException e) {
230 // Should not happen!
231 }
232 return retVal;
233 }
234}