You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by pl...@apache.org on 2015/11/24 08:59:54 UTC
[25/27] directory-kerby git commit: DIRKRB-469 & DIRKRB-470 setting
vno & cksum fields when making authenticator
DIRKRB-469 & DIRKRB-470 setting vno & cksum fields when making authenticator
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/df6ba15d
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/df6ba15d
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/df6ba15d
Branch: refs/heads/pkinit-support
Commit: df6ba15d4f990b104efcf36ede913f4eeb09a872
Parents: fe97606
Author: Drankye <dr...@gmail.com>
Authored: Tue Nov 24 14:16:32 2015 +0800
Committer: Drankye <dr...@gmail.com>
Committed: Tue Nov 24 14:16:32 2015 +0800
----------------------------------------------------------------------
.../kerb/client/request/ArmoredRequest.java | 30 +++++++++++++----
.../kerberos/kerb/client/request/AsRequest.java | 2 +-
.../kerb/client/request/KdcRequest.java | 23 ++++++-------
.../kerb/client/request/TgsRequest.java | 2 +-
.../kerb/client/request/TgsRequestWithTgt.java | 35 +++++++++++++++-----
.../kerberos/kerb/common/CheckSumUtil.java | 21 +++++++++++-
.../kerby/kerberos/kerb/common/KrbUtil.java | 1 -
.../kerb/server/request/TgsRequest.java | 1 +
8 files changed, 83 insertions(+), 32 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/df6ba15d/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/ArmoredRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/ArmoredRequest.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/ArmoredRequest.java
index 2bcd75e..59cf399 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/ArmoredRequest.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/ArmoredRequest.java
@@ -29,6 +29,7 @@ import org.apache.kerby.kerberos.kerb.common.CheckSumUtil;
import org.apache.kerby.kerberos.kerb.common.EncryptionUtil;
import org.apache.kerby.kerberos.kerb.crypto.EncryptionHandler;
import org.apache.kerby.kerberos.kerb.crypto.fast.FastUtil;
+import org.apache.kerby.kerberos.kerb.spec.KerberosTime;
import org.apache.kerby.kerberos.kerb.spec.ap.ApOptions;
import org.apache.kerby.kerberos.kerb.spec.ap.ApReq;
import org.apache.kerby.kerberos.kerb.spec.ap.Authenticator;
@@ -38,12 +39,14 @@ import org.apache.kerby.kerberos.kerb.spec.base.EncryptedData;
import org.apache.kerby.kerberos.kerb.spec.base.EncryptionKey;
import org.apache.kerby.kerberos.kerb.spec.base.EncryptionType;
import org.apache.kerby.kerberos.kerb.spec.base.KeyUsage;
+import org.apache.kerby.kerberos.kerb.spec.base.PrincipalName;
import org.apache.kerby.kerberos.kerb.spec.fast.ArmorType;
import org.apache.kerby.kerberos.kerb.spec.fast.KrbFastArmor;
import org.apache.kerby.kerberos.kerb.spec.fast.KrbFastArmoredReq;
import org.apache.kerby.kerberos.kerb.spec.fast.KrbFastReq;
import org.apache.kerby.kerberos.kerb.spec.kdc.AsReq;
import org.apache.kerby.kerberos.kerb.spec.kdc.KdcReq;
+import org.apache.kerby.kerberos.kerb.spec.kdc.KdcReqBody;
import org.apache.kerby.kerberos.kerb.spec.pa.PaDataEntry;
import org.apache.kerby.kerberos.kerb.spec.pa.PaDataType;
import org.apache.kerby.kerberos.kerb.spec.ticket.Ticket;
@@ -143,8 +146,7 @@ public class ArmoredRequest {
CheckSum reqCheckSum = CheckSumUtil.makeCheckSumWithKey(CheckSumType.NONE,
outerRequestBody, state.getArmorKey(), KeyUsage.FAST_REQ_CHKSUM);
armoredReq.setReqChecksum(reqCheckSum);
- armoredReq.setEncryptedFastReq(EncryptionUtil.seal(fastReq, state.getArmorKey(),
- KeyUsage.FAST_ENC));
+ armoredReq.setEncryptedFastReq(EncryptionUtil.seal(fastReq, state.getArmorKey(), KeyUsage.FAST_ENC));
PaDataEntry paDataEntry = new PaDataEntry();
paDataEntry.setPaDataType(PaDataType.FX_FAST);
@@ -169,8 +171,7 @@ public class ArmoredRequest {
apReq.setApOptions(apOptions);
Ticket ticket = credential.getTicket();
apReq.setTicket(ticket);
- Authenticator authenticator = KdcRequest.makeAuthenticator(credential.getClientName(),
- credential.getClientRealm(), subKey);
+ Authenticator authenticator = makeAuthenticator(credential, subKey);
apReq.setAuthenticator(authenticator);
EncryptedData authnData = EncryptionUtil.seal(authenticator,
credential.getKey(), KeyUsage.AP_REQ_AUTH);
@@ -185,8 +186,7 @@ public class ArmoredRequest {
*/
private EncryptionKey makeArmorKey(EncryptionKey subKey, EncryptionKey armorCacheKey)
throws KrbException {
- EncryptionKey armorKey = FastUtil.cf2(subKey, "subkeyarmor",
- armorCacheKey, "ticketarmor");
+ EncryptionKey armorKey = FastUtil.cf2(subKey, "subkeyarmor", armorCacheKey, "ticketarmor");
return armorKey;
}
@@ -204,4 +204,22 @@ public class ArmoredRequest {
return armorCacheKey;
}
+
+ protected Authenticator makeAuthenticator(Credential credential,
+ EncryptionKey subKey) throws KrbException {
+ Authenticator authenticator = new Authenticator();
+ authenticator.setAuthenticatorVno(5);
+ authenticator.setCname(credential.getClientName());
+ authenticator.setCrealm(credential.getClientRealm());
+ authenticator.setCtime(KerberosTime.now());
+ authenticator.setCusec(0);
+ authenticator.setSubKey(subKey);
+
+ KdcReqBody reqBody = kdcRequest.getReqBody();
+ CheckSum checksum = CheckSumUtil.seal(reqBody, null,
+ subKey, KeyUsage.TGS_REQ_AUTH_CKSUM);
+ authenticator.setCksum(checksum);
+
+ return authenticator;
+ }
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/df6ba15d/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequest.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequest.java
index 82d35f8..deb07d5 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequest.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequest.java
@@ -73,7 +73,7 @@ public class AsRequest extends KdcRequest {
public void process() throws KrbException {
super.process();
- KdcReqBody body = makeReqBody();
+ KdcReqBody body = getReqBody();
AsReq asReq = new AsReq();
asReq.setReqBody(body);
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/df6ba15d/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/KdcRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/KdcRequest.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/KdcRequest.java
index 0d7ad6c..33f701f 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/KdcRequest.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/KdcRequest.java
@@ -30,7 +30,6 @@ import org.apache.kerby.kerberos.kerb.client.preauth.PreauthHandler;
import org.apache.kerby.kerberos.kerb.common.EncryptionUtil;
import org.apache.kerby.kerberos.kerb.crypto.EncryptionHandler;
import org.apache.kerby.kerberos.kerb.spec.KerberosTime;
-import org.apache.kerby.kerberos.kerb.spec.ap.Authenticator;
import org.apache.kerby.kerberos.kerb.spec.base.EncryptedData;
import org.apache.kerby.kerberos.kerb.spec.base.EncryptionKey;
import org.apache.kerby.kerberos.kerb.spec.base.EncryptionType;
@@ -38,8 +37,8 @@ import org.apache.kerby.kerberos.kerb.spec.base.HostAddress;
import org.apache.kerby.kerberos.kerb.spec.base.HostAddresses;
import org.apache.kerby.kerberos.kerb.spec.base.KeyUsage;
import org.apache.kerby.kerberos.kerb.spec.base.PrincipalName;
-import org.apache.kerby.kerberos.kerb.spec.kdc.KdcOptions;
import org.apache.kerby.kerberos.kerb.spec.kdc.KdcOption;
+import org.apache.kerby.kerberos.kerb.spec.kdc.KdcOptions;
import org.apache.kerby.kerberos.kerb.spec.kdc.KdcRep;
import org.apache.kerby.kerberos.kerb.spec.kdc.KdcReq;
import org.apache.kerby.kerberos.kerb.spec.kdc.KdcReqBody;
@@ -67,6 +66,7 @@ public abstract class KdcRequest {
private EncryptionType chosenEncryptionType;
private int chosenNonce;
private KdcReq kdcReq;
+ private KdcReqBody reqBody;
private KdcRep kdcRep;
private PreauthContext preauthContext;
private KrbFastRequestState fastRequestState;
@@ -84,17 +84,6 @@ public abstract class KdcRequest {
this.fastRequestState = new KrbFastRequestState();
}
- protected static Authenticator makeAuthenticator(PrincipalName clientName, String clientRealm, EncryptionKey subKey)
- throws KrbException {
- Authenticator authenticator = new Authenticator();
- authenticator.setCname(clientName);
- authenticator.setCrealm(clientRealm);
- authenticator.setCtime(KerberosTime.now());
- authenticator.setCusec(0);
- authenticator.setSubKey(subKey);
- return authenticator;
- }
-
public KrbFastRequestState getFastRequestState() {
return fastRequestState;
}
@@ -167,6 +156,14 @@ public abstract class KdcRequest {
this.kdcReq = kdcReq;
}
+ protected KdcReqBody getReqBody() throws KrbException {
+ if (reqBody == null) {
+ reqBody = makeReqBody();
+ }
+
+ return reqBody;
+ }
+
public KdcRep getKdcRep() {
return kdcRep;
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/df6ba15d/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/TgsRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/TgsRequest.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/TgsRequest.java
index d291e99..033e027 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/TgsRequest.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/TgsRequest.java
@@ -67,7 +67,7 @@ public class TgsRequest extends KdcRequest {
TgsReq tgsReq = new TgsReq();
- KdcReqBody tgsReqBody = makeReqBody();
+ KdcReqBody tgsReqBody = getReqBody();
tgsReq.setReqBody(tgsReqBody);
tgsReq.setPaData(getPreauthContext().getOutputPaData());
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/df6ba15d/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/TgsRequestWithTgt.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/TgsRequestWithTgt.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/TgsRequestWithTgt.java
index d28c2b1..cf01899 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/TgsRequestWithTgt.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/TgsRequestWithTgt.java
@@ -21,14 +21,18 @@ package org.apache.kerby.kerberos.kerb.client.request;
import org.apache.kerby.kerberos.kerb.KrbException;
import org.apache.kerby.kerberos.kerb.client.KrbContext;
+import org.apache.kerby.kerberos.kerb.common.CheckSumUtil;
import org.apache.kerby.kerberos.kerb.common.EncryptionUtil;
+import org.apache.kerby.kerberos.kerb.spec.KerberosTime;
import org.apache.kerby.kerberos.kerb.spec.ap.ApOptions;
import org.apache.kerby.kerberos.kerb.spec.ap.ApReq;
import org.apache.kerby.kerberos.kerb.spec.ap.Authenticator;
+import org.apache.kerby.kerberos.kerb.spec.base.CheckSum;
import org.apache.kerby.kerberos.kerb.spec.base.EncryptedData;
import org.apache.kerby.kerberos.kerb.spec.base.EncryptionKey;
import org.apache.kerby.kerberos.kerb.spec.base.KeyUsage;
import org.apache.kerby.kerberos.kerb.spec.base.PrincipalName;
+import org.apache.kerby.kerberos.kerb.spec.kdc.KdcReqBody;
import org.apache.kerby.kerberos.kerb.spec.pa.PaDataType;
import org.apache.kerby.kerberos.kerb.spec.ticket.TgtTicket;
@@ -57,17 +61,10 @@ public class TgsRequestWithTgt extends TgsRequest {
return tgt.getSessionKey();
}
- @Override
- protected void preauth() throws KrbException {
- apReq = makeApReq();
- super.preauth();
- }
-
private ApReq makeApReq() throws KrbException {
ApReq apReq = new ApReq();
- Authenticator authenticator = makeAuthenticator(tgt.getClientPrincipal(), tgt.getRealm(),
- tgt.getSessionKey());
+ Authenticator authenticator = makeAuthenticator();
EncryptionKey sessionKey = tgt.getSessionKey();
EncryptedData authnData = EncryptionUtil.seal(authenticator,
sessionKey, KeyUsage.TGS_REQ_AUTH);
@@ -80,7 +77,27 @@ public class TgsRequestWithTgt extends TgsRequest {
return apReq;
}
- public ApReq getApReq() {
+ public ApReq getApReq() throws KrbException {
+ if (apReq == null) {
+ apReq = makeApReq();
+ }
return apReq;
}
+
+ private Authenticator makeAuthenticator() throws KrbException {
+ Authenticator authenticator = new Authenticator();
+ authenticator.setAuthenticatorVno(5);
+ authenticator.setCname(tgt.getClientPrincipal());
+ authenticator.setCrealm(tgt.getRealm());
+ authenticator.setCtime(KerberosTime.now());
+ authenticator.setCusec(0);
+ authenticator.setSubKey(tgt.getSessionKey());
+
+ KdcReqBody reqBody = getReqBody();
+ CheckSum checksum = CheckSumUtil.seal(reqBody, null,
+ tgt.getSessionKey(), KeyUsage.TGS_REQ_AUTH_CKSUM);
+ authenticator.setCksum(checksum);
+
+ return authenticator;
+ }
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/df6ba15d/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/CheckSumUtil.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/CheckSumUtil.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/CheckSumUtil.java
index 1231ef4..23e6130 100644
--- a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/CheckSumUtil.java
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/CheckSumUtil.java
@@ -19,6 +19,7 @@
*/
package org.apache.kerby.kerberos.kerb.common;
+import org.apache.kerby.asn1.type.AbstractAsn1Type;
import org.apache.kerby.kerberos.kerb.KrbException;
import org.apache.kerby.kerberos.kerb.crypto.CheckSumHandler;
import org.apache.kerby.kerberos.kerb.crypto.EncTypeHandler;
@@ -38,10 +39,28 @@ public class CheckSumUtil {
public static CheckSum makeCheckSumWithKey(CheckSumType checkSumType, byte[] input,
EncryptionKey key, KeyUsage usage)
throws KrbException {
- if (checkSumType == CheckSumType.NONE) {
+ if (checkSumType == null || checkSumType == CheckSumType.NONE) {
EncTypeHandler handler = EncryptionHandler.getEncHandler(key.getKeyType());
checkSumType = handler.checksumType();
+ if (checkSumType == null) {
+ // By default, may be configured
+ checkSumType = CheckSumType.CMAC_CAMELLIA128;
+ }
}
return CheckSumHandler.checksumWithKey(checkSumType, input, key.getKeyData(), usage);
}
+
+ public static CheckSum seal(AbstractAsn1Type<?> asn1Object,
+ CheckSumType checkSumType) throws KrbException {
+ byte[] encoded = asn1Object.encode();
+ CheckSum checksum = makeCheckSum(checkSumType, encoded);
+ return checksum;
+ }
+
+ public static CheckSum seal(AbstractAsn1Type<?> asn1Object, CheckSumType checkSumType,
+ EncryptionKey key, KeyUsage usage) throws KrbException {
+ byte[] encoded = asn1Object.encode();
+ CheckSum checksum = makeCheckSumWithKey(checkSumType, encoded, key, usage);
+ return checksum;
+ }
}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/df6ba15d/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/KrbUtil.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/KrbUtil.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/KrbUtil.java
index c2bd96d..1bf17d6 100644
--- a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/KrbUtil.java
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/KrbUtil.java
@@ -44,5 +44,4 @@ public class KrbUtil {
String nameString = "kadmin/" + realm + "@" + realm;
return new PrincipalName(nameString, NameType.NT_PRINCIPAL);
}
-
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/df6ba15d/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java
index 5d80c03..bd0cc80 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java
@@ -146,6 +146,7 @@ public class TgsRequest extends KdcRequest {
if (encKey == null) {
throw new KrbException(KrbErrorCode.KRB_AP_ERR_NOKEY);
}
+
Authenticator authenticator = EncryptionUtil.unseal(apReq.getEncryptedAuthenticator(),
encKey, KeyUsage.TGS_REQ_AUTH, Authenticator.class);