J. Duke | 319a3b9 | 2007-12-01 00:00:00 +0000 | [diff] [blame^] | 1 | /* |
| 2 | * Portions Copyright 2000-2006 Sun Microsystems, Inc. All Rights Reserved. |
| 3 | * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
| 4 | * |
| 5 | * This code is free software; you can redistribute it and/or modify it |
| 6 | * under the terms of the GNU General Public License version 2 only, as |
| 7 | * published by the Free Software Foundation. Sun designates this |
| 8 | * particular file as subject to the "Classpath" exception as provided |
| 9 | * by Sun in the LICENSE file that accompanied this code. |
| 10 | * |
| 11 | * This code is distributed in the hope that it will be useful, but WITHOUT |
| 12 | * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
| 13 | * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
| 14 | * version 2 for more details (a copy is included in the LICENSE file that |
| 15 | * accompanied this code). |
| 16 | * |
| 17 | * You should have received a copy of the GNU General Public License version |
| 18 | * 2 along with this work; if not, write to the Free Software Foundation, |
| 19 | * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
| 20 | * |
| 21 | * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, |
| 22 | * CA 95054 USA or visit www.sun.com if you need additional information or |
| 23 | * have any questions. |
| 24 | */ |
| 25 | |
| 26 | /* |
| 27 | * |
| 28 | * (C) Copyright IBM Corp. 1999 All Rights Reserved. |
| 29 | * Copyright 1997 The Open Group Research Institute. All rights reserved. |
| 30 | */ |
| 31 | |
| 32 | package sun.security.krb5; |
| 33 | |
| 34 | import sun.security.krb5.internal.*; |
| 35 | import sun.security.krb5.internal.crypto.KeyUsage; |
| 36 | import java.io.IOException; |
| 37 | import sun.security.util.DerValue; |
| 38 | |
| 39 | /** |
| 40 | * This class encapsulates the KRB-CRED message that a client uses to |
| 41 | * send its delegated credentials to a server. |
| 42 | * |
| 43 | * Supports delegation of one ticket only. |
| 44 | * @author Mayank Upadhyay |
| 45 | */ |
| 46 | public class KrbCred { |
| 47 | |
| 48 | private static boolean DEBUG = Krb5.DEBUG; |
| 49 | |
| 50 | private byte[] obuf = null; |
| 51 | private KRBCred credMessg = null; |
| 52 | private Ticket ticket = null; |
| 53 | private EncKrbCredPart encPart = null; |
| 54 | private Credentials creds = null; |
| 55 | private KerberosTime timeStamp = null; |
| 56 | |
| 57 | // Used in InitialToken with null key |
| 58 | public KrbCred(Credentials tgt, |
| 59 | Credentials serviceTicket, |
| 60 | EncryptionKey key) |
| 61 | throws KrbException, IOException { |
| 62 | |
| 63 | PrincipalName client = tgt.getClient(); |
| 64 | PrincipalName tgService = tgt.getServer(); |
| 65 | PrincipalName server = serviceTicket.getServer(); |
| 66 | if (!serviceTicket.getClient().equals(client)) |
| 67 | throw new KrbException(Krb5.KRB_ERR_GENERIC, |
| 68 | "Client principal does not match"); |
| 69 | |
| 70 | // XXX Check Windows flag OK-TO-FORWARD-TO |
| 71 | |
| 72 | // Invoke TGS-REQ to get a forwarded TGT for the peer |
| 73 | |
| 74 | KDCOptions options = new KDCOptions(); |
| 75 | options.set(KDCOptions.FORWARDED, true); |
| 76 | options.set(KDCOptions.FORWARDABLE, true); |
| 77 | |
| 78 | HostAddresses sAddrs = null; |
| 79 | // XXX Also NT_GSS_KRB5_PRINCIPAL can be a host based principal |
| 80 | // GSSName.NT_HOSTBASED_SERVICE should display with KRB_NT_SRV_HST |
| 81 | if (server.getNameType() == PrincipalName.KRB_NT_SRV_HST) |
| 82 | sAddrs= new HostAddresses(server); |
| 83 | |
| 84 | KrbTgsReq tgsReq = new KrbTgsReq(options, tgt, tgService, |
| 85 | null, null, null, null, sAddrs, null, null, null); |
| 86 | credMessg = createMessage(tgsReq.sendAndGetCreds(), key); |
| 87 | |
| 88 | obuf = credMessg.asn1Encode(); |
| 89 | } |
| 90 | |
| 91 | KRBCred createMessage(Credentials delegatedCreds, EncryptionKey key) |
| 92 | throws KrbException, IOException { |
| 93 | |
| 94 | EncryptionKey sessionKey |
| 95 | = delegatedCreds.getSessionKey(); |
| 96 | PrincipalName princ = delegatedCreds.getClient(); |
| 97 | Realm realm = princ.getRealm(); |
| 98 | PrincipalName tgService = delegatedCreds.getServer(); |
| 99 | Realm tgsRealm = tgService.getRealm(); |
| 100 | |
| 101 | KrbCredInfo credInfo = new KrbCredInfo(sessionKey, realm, |
| 102 | princ, delegatedCreds.flags, delegatedCreds.authTime, |
| 103 | delegatedCreds.startTime, delegatedCreds.endTime, |
| 104 | delegatedCreds.renewTill, tgsRealm, tgService, |
| 105 | delegatedCreds.cAddr); |
| 106 | |
| 107 | timeStamp = new KerberosTime(KerberosTime.NOW); |
| 108 | KrbCredInfo[] credInfos = {credInfo}; |
| 109 | EncKrbCredPart encPart = |
| 110 | new EncKrbCredPart(credInfos, |
| 111 | timeStamp, null, null, null, null); |
| 112 | |
| 113 | EncryptedData encEncPart = new EncryptedData(key, |
| 114 | encPart.asn1Encode(), KeyUsage.KU_ENC_KRB_CRED_PART); |
| 115 | |
| 116 | Ticket[] tickets = {delegatedCreds.ticket}; |
| 117 | |
| 118 | credMessg = new KRBCred(tickets, encEncPart); |
| 119 | |
| 120 | return credMessg; |
| 121 | } |
| 122 | |
| 123 | // Used in InitialToken, key always NULL_KEY |
| 124 | public KrbCred(byte[] asn1Message, EncryptionKey key) |
| 125 | throws KrbException, IOException { |
| 126 | |
| 127 | credMessg = new KRBCred(asn1Message); |
| 128 | |
| 129 | ticket = credMessg.tickets[0]; |
| 130 | |
| 131 | byte[] temp = credMessg.encPart.decrypt(key, |
| 132 | KeyUsage.KU_ENC_KRB_CRED_PART); |
| 133 | byte[] plainText = credMessg.encPart.reset(temp, true); |
| 134 | DerValue encoding = new DerValue(plainText); |
| 135 | EncKrbCredPart encPart = new EncKrbCredPart(encoding); |
| 136 | |
| 137 | timeStamp = encPart.timeStamp; |
| 138 | |
| 139 | KrbCredInfo credInfo = encPart.ticketInfo[0]; |
| 140 | EncryptionKey credInfoKey = credInfo.key; |
| 141 | Realm prealm = credInfo.prealm; |
| 142 | // XXX PrincipalName can store realm + principalname or |
| 143 | // just principal name. |
| 144 | PrincipalName pname = credInfo.pname; |
| 145 | pname.setRealm(prealm); |
| 146 | TicketFlags flags = credInfo.flags; |
| 147 | KerberosTime authtime = credInfo.authtime; |
| 148 | KerberosTime starttime = credInfo.starttime; |
| 149 | KerberosTime endtime = credInfo.endtime; |
| 150 | KerberosTime renewTill = credInfo.renewTill; |
| 151 | Realm srealm = credInfo.srealm; |
| 152 | PrincipalName sname = credInfo.sname; |
| 153 | sname.setRealm(srealm); |
| 154 | HostAddresses caddr = credInfo.caddr; |
| 155 | |
| 156 | if (DEBUG) { |
| 157 | System.out.println(">>>Delegated Creds have pname=" + pname |
| 158 | + " sname=" + sname |
| 159 | + " authtime=" + authtime |
| 160 | + " starttime=" + starttime |
| 161 | + " endtime=" + endtime |
| 162 | + "renewTill=" + renewTill); |
| 163 | } |
| 164 | creds = new Credentials(ticket, pname, sname, credInfoKey, |
| 165 | flags, authtime, starttime, endtime, renewTill, caddr); |
| 166 | } |
| 167 | |
| 168 | /** |
| 169 | * Returns the delegated credentials from the peer. |
| 170 | */ |
| 171 | public Credentials[] getDelegatedCreds() { |
| 172 | |
| 173 | Credentials[] allCreds = {creds}; |
| 174 | return allCreds; |
| 175 | } |
| 176 | |
| 177 | /** |
| 178 | * Returns the ASN.1 encoding that should be sent to the peer. |
| 179 | */ |
| 180 | public byte[] getMessage() { |
| 181 | return obuf; |
| 182 | } |
| 183 | } |