You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by pl...@apache.org on 2016/02/23 06:29:32 UTC
directory-kerby git commit: Refactor the code.
Repository: directory-kerby
Updated Branches:
refs/heads/trunk 3a9d193da -> 22272befa
Refactor the code.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/22272bef
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/22272bef
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/22272bef
Branch: refs/heads/trunk
Commit: 22272befa3a312696754eb399482c0838db99d9b
Parents: 3a9d193
Author: plusplusjiajia <ji...@intel.com>
Authored: Tue Feb 23 13:36:54 2016 +0800
Committer: plusplusjiajia <ji...@intel.com>
Committed: Tue Feb 23 13:36:54 2016 +0800
----------------------------------------------------------------------
.../client/preauth/pkinit/PkinitPreauth.java | 8 +--
.../kerb/preauth/pkinit/PkinitCrypto.java | 10 +++-
.../server/preauth/pkinit/PkinitPreauth.java | 61 ++++++++++++--------
.../kerb/server/request/KdcRequest.java | 2 +-
4 files changed, 51 insertions(+), 30 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/22272bef/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java
index 30aaff2..230ccb0 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.java
@@ -293,15 +293,15 @@ public class PkinitPreauth extends AbstractPreauthPlugin {
// DhNonce dhNonce = new DhNonce();
// authPack.setClientDhNonce(dhNonce);
+ byte[] signedAuthPack = signAuthPack(authPack);
+ paPkAsReq.setSignedAuthPack(signedAuthPack);
} else {
LOG.info("RSA key transport algorithm");
// authPack.setClientPublicValue(null);
}
- byte[] signedAuthPack = signAuthPack(authPack);
- paPkAsReq.setSignedAuthPack(signedAuthPack);
TrustedCertifiers trustedCertifiers = pkinitContext.pluginOpts.createTrustedCertifiers();
paPkAsReq.setTrustedCertifiers(trustedCertifiers);
@@ -316,8 +316,8 @@ public class PkinitPreauth extends AbstractPreauthPlugin {
String oid = pkinitContext.cryptoctx.getIdPkinitAuthDataOID();
- byte[] signedDataBytes = PkinitCrypto.cmsSignedDataCreate(
- KrbCodec.encode(authPack), oid, 3, null, null, null, null);
+ byte[] signedDataBytes = PkinitCrypto.eContentInfoCreate(
+ KrbCodec.encode(authPack), oid);
return signedDataBytes;
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/22272bef/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitCrypto.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitCrypto.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitCrypto.java
index f4981a8..cc09a37 100644
--- a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitCrypto.java
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitCrypto.java
@@ -222,7 +222,8 @@ public class PkinitCrypto {
public static byte[] cmsSignedDataCreate(byte[] data, String oid, int version,
DigestAlgorithmIdentifiers digestAlgorithmIdentifiers,
CertificateSet certificateSet,
- RevocationInfoChoices crls, SignerInfos signerInfos) throws KrbException {
+ RevocationInfoChoices crls, SignerInfos signerInfos)
+ throws KrbException {
SignedContentInfo contentInfo = new SignedContentInfo();
contentInfo.setContentType("1.2.840.113549.1.7.2");
SignedData signedData = new SignedData();
@@ -247,6 +248,13 @@ public class PkinitCrypto {
return KrbCodec.encode(contentInfo);
}
+ public static byte[] eContentInfoCreate(byte[] data, String oid) throws KrbException {
+ EncapsulatedContentInfo eContentInfo = new EncapsulatedContentInfo();
+ eContentInfo.setContentType(oid);
+ eContentInfo.setContent(data);
+ return KrbCodec.encode(eContentInfo);
+ }
+
public static X509Certificate[] createCertChain(PkinitPlgCryptoContext cryptoContext)
throws CertificateNotYetValidException, CertificateExpiredException {
LOG.info("Building certificate chain.");
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/22272bef/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/pkinit/PkinitPreauth.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/pkinit/PkinitPreauth.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/pkinit/PkinitPreauth.java
index aa4d32d..fa93780 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/pkinit/PkinitPreauth.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/pkinit/PkinitPreauth.java
@@ -26,6 +26,7 @@ import org.apache.kerby.asn1.type.Asn1Integer;
import org.apache.kerby.cms.type.CertificateChoices;
import org.apache.kerby.cms.type.CertificateSet;
import org.apache.kerby.cms.type.ContentInfo;
+import org.apache.kerby.cms.type.EncapsulatedContentInfo;
import org.apache.kerby.cms.type.SignedData;
import org.apache.kerby.kerberos.kerb.KrbCodec;
import org.apache.kerby.kerberos.kerb.KrbErrorCode;
@@ -132,37 +133,49 @@ public class PkinitPreauth extends AbstractPreauthPlugin {
PaPkAsReq paPkAsReq = KrbCodec.decode(paData.getPaDataValue(), PaPkAsReq.class);
byte[] signedAuthPack = paPkAsReq.getSignedAuthPack();
+ AuthPack authPack = null;
+ if (kdcRequest.isAnonymous()) {
+ EncapsulatedContentInfo eContentInfo = new EncapsulatedContentInfo();
+ try {
+ eContentInfo.decode(signedAuthPack);
+ } catch (IOException e) {
+ e.printStackTrace();
+ }
+ authPack = KrbCodec.decode(eContentInfo.getContent(), AuthPack.class);
- ContentInfo contentInfo = new ContentInfo();
- try {
- contentInfo.decode(signedAuthPack);
- } catch (IOException e) {
- e.printStackTrace();
- }
+ } else {
- SignedData signedData = contentInfo.getContentAs(SignedData.class);
+ ContentInfo contentInfo = new ContentInfo();
+ try {
+ contentInfo.decode(signedAuthPack);
+ } catch (IOException e) {
+ e.printStackTrace();
+ }
- PkinitCrypto.verifyCmsSignedData(CmsMessageType.CMS_SIGN_CLIENT, signedData);
+ SignedData signedData = contentInfo.getContentAs(SignedData.class);
- Boolean isSigned = signedData.isSigned();
- if (isSigned) {
- //TODO
- LOG.info("Signed data.");
- } else {
- PrincipalName clientPrincial = kdcRequest.getClientEntry().getPrincipal();
- PrincipalName anonymousPrincipal = KrbUtil.makeAnonymousPrincipal();
+ PkinitCrypto.verifyCmsSignedData(CmsMessageType.CMS_SIGN_CLIENT, signedData);
+
+ Boolean isSigned = signedData.isSigned();
+ if (isSigned) {
+ //TODO
+ LOG.info("Signed data.");
+ } else {
+ PrincipalName clientPrincial = kdcRequest.getClientEntry().getPrincipal();
+ PrincipalName anonymousPrincipal = KrbUtil.makeAnonymousPrincipal();
/* If anonymous requests are being used, adjust the realm of the client principal. */
- if (kdcRequest.getKdcOptions().isFlagSet(KdcOption.REQUEST_ANONYMOUS)
- && !KrbUtil.pricipalCompareIgnoreRealm(clientPrincial, anonymousPrincipal)) {
- String errMsg = "Pkinit request not signed, but client not anonymous.";
- LOG.error(errMsg);
- throw new KrbException(KrbErrorCode.KDC_ERR_PREAUTH_FAILED, errMsg);
+ if (kdcRequest.getKdcOptions().isFlagSet(KdcOption.REQUEST_ANONYMOUS)
+ && !KrbUtil.pricipalCompareIgnoreRealm(clientPrincial, anonymousPrincipal)) {
+ String errMsg = "Pkinit request not signed, but client not anonymous.";
+ LOG.error(errMsg);
+ throw new KrbException(KrbErrorCode.KDC_ERR_PREAUTH_FAILED, errMsg);
+ }
}
- }
- AuthPack authPack = KrbCodec.decode(
- signedData.getEncapContentInfo().getContent(), AuthPack.class);
+ authPack = KrbCodec.decode(
+ signedData.getEncapContentInfo().getContent(), AuthPack.class);
+ }
PkAuthenticator pkAuthenticator = authPack.getPkAuthenticator();
@@ -244,7 +257,7 @@ public class PkinitPreauth extends AbstractPreauthPlugin {
kdcRequest.getPreauthContext().getOutputPaData().add(paDataEntry);
} else {
- if (!isSigned) {
+ if (!kdcRequest.isAnonymous()) {
/*Anonymous pkinit requires DH*/
String errMessage = "Anonymous pkinit without DH public value not supported.";
LOG.error(errMessage);
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/22272bef/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
index d3c675c..abd7eec 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
@@ -808,7 +808,7 @@ public abstract class KdcRequest {
return isPkinit;
}
- protected boolean isAnonymous() {
+ public boolean isAnonymous() {
return getKdcOptions().isFlagSet(KdcOption.REQUEST_ANONYMOUS);
}