You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by ka...@apache.org on 2013/02/06 19:19:39 UTC
svn commit: r1443107 [4/6] - in /directory/apacheds/trunk:
interceptor-kerberos/src/main/java/org/apache/directory/server/core/kerberos/
kerberos-codec/
kerberos-codec/src/main/java/org/apache/directory/server/kerberos/changepwd/
kerberos-codec/src/mai...
Modified: directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/KdcServer.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/KdcServer.java?rev=1443107&r1=1443106&r2=1443107&view=diff
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/KdcServer.java (original)
+++ directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/KdcServer.java Wed Feb 6 18:19:36 2013
@@ -21,31 +21,25 @@ package org.apache.directory.server.kerb
import java.io.IOException;
-import java.util.ArrayList;
-import java.util.List;
-import javax.security.auth.kerberos.KerberosPrincipal;
import net.sf.ehcache.Cache;
import org.apache.directory.api.ldap.model.exception.LdapInvalidDnException;
import org.apache.directory.api.ldap.model.name.Dn;
-import org.apache.directory.server.constants.ServerDNConstants;
+import org.apache.directory.server.kerberos.KerberosConfig;
+import org.apache.directory.server.kerberos.changepwd.ChangePasswordServer;
import org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler;
import org.apache.directory.server.kerberos.protocol.codec.KerberosProtocolCodecFactory;
import org.apache.directory.server.kerberos.shared.replay.ReplayCache;
import org.apache.directory.server.kerberos.shared.replay.ReplayCacheImpl;
-import org.apache.directory.server.kerberos.shared.store.DirectoryPrincipalStore;
import org.apache.directory.server.kerberos.shared.store.PrincipalStore;
import org.apache.directory.server.protocol.shared.DirectoryBackedService;
import org.apache.directory.server.protocol.shared.transport.TcpTransport;
import org.apache.directory.server.protocol.shared.transport.Transport;
-import org.apache.directory.server.protocol.shared.transport.UdpTransport;
-import org.apache.directory.shared.kerberos.codec.types.EncryptionType;
import org.apache.mina.core.filterchain.DefaultIoFilterChainBuilder;
import org.apache.mina.core.filterchain.IoFilterChainBuilder;
import org.apache.mina.core.service.IoAcceptor;
import org.apache.mina.filter.codec.ProtocolCodecFilter;
-import org.apache.mina.transport.socket.DatagramAcceptor;
import org.apache.mina.transport.socket.nio.NioSocketAcceptor;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -62,374 +56,37 @@ public class KdcServer extends Directory
/** logger for this class */
private static final Logger LOG = LoggerFactory.getLogger( KdcServer.class.getName() );
-
- /** The default kdc port */
- private static final int DEFAULT_IP_PORT = 88;
-
- /** The default kdc service pid */
- private static final String DEFAULT_PID = "org.apache.directory.server.kerberos";
-
+
/** The default kdc service name */
- private static final String DEFAULT_NAME = "ApacheDS Kerberos Service";
-
- /** The default kdc service principal */
- private static final String DEFAULT_PRINCIPAL = "krbtgt/EXAMPLE.COM@EXAMPLE.COM";
-
- /** The default kdc realm */
- private static final String DEFAULT_REALM = "EXAMPLE.COM";
-
- /** The default allowable clockskew */
- private static final long DEFAULT_ALLOWABLE_CLOCKSKEW = 5 * 60000;
-
- /** The default encryption types */
- private static final String[] DEFAULT_ENCRYPTION_TYPES = new String[]
- { "aes128-cts-hmac-sha1-96", "des3-cbc-sha1-kd", "des-cbc-md5" };
-
- /** The default for allowing empty addresses */
- private static final boolean DEFAULT_EMPTY_ADDRESSES_ALLOWED = true;
-
- /** The default for requiring encrypted timestamps */
- private static final boolean DEFAULT_PA_ENC_TIMESTAMP_REQUIRED = true;
-
- /** The default for the maximum ticket lifetime */
- private static final int DEFAULT_TGS_MAXIMUM_TICKET_LIFETIME = 60000 * 1440;
-
- /** The default for the maximum renewable lifetime */
- private static final int DEFAULT_TGS_MAXIMUM_RENEWABLE_LIFETIME = 60000 * 10080;
-
- /** The default for allowing forwardable tickets */
- private static final boolean DEFAULT_TGS_FORWARDABLE_ALLOWED = true;
-
- /** The default for allowing proxiable tickets */
- private static final boolean DEFAULT_TGS_PROXIABLE_ALLOWED = true;
-
- /** The default for allowing postdated tickets */
- private static final boolean DEFAULT_TGS_POSTDATED_ALLOWED = true;
-
- /** The default for allowing renewable tickets */
- private static final boolean DEFAULT_TGS_RENEWABLE_ALLOWED = true;
-
- /** The default for verifying the body checksum */
- private static final boolean DEFAULT_VERIFY_BODY_CHECKSUM = true;
-
- /** The encryption types. */
- private List<EncryptionType> encryptionTypes;
-
- /** The primary realm */
- private String primaryRealm = DEFAULT_REALM;
-
- /** The service principal name. */
- private String servicePrincipal = DEFAULT_PRINCIPAL;
-
- /** The allowable clock skew. */
- private long allowableClockSkew = DEFAULT_ALLOWABLE_CLOCKSKEW;
-
- /** Whether pre-authentication by encrypted timestamp is required. */
- private boolean isPaEncTimestampRequired = DEFAULT_PA_ENC_TIMESTAMP_REQUIRED;
-
- /** The maximum ticket lifetime. */
- private long maximumTicketLifetime = DEFAULT_TGS_MAXIMUM_TICKET_LIFETIME;
-
- /** The maximum renewable lifetime. */
- private long maximumRenewableLifetime = DEFAULT_TGS_MAXIMUM_RENEWABLE_LIFETIME;
-
- /** Whether empty addresses are allowed. */
- private boolean isEmptyAddressesAllowed = DEFAULT_EMPTY_ADDRESSES_ALLOWED;
-
- /** Whether forwardable addresses are allowed. */
- private boolean isForwardableAllowed = DEFAULT_TGS_FORWARDABLE_ALLOWED;
-
- /** Whether proxiable addresses are allowed. */
- private boolean isProxiableAllowed = DEFAULT_TGS_PROXIABLE_ALLOWED;
-
- /** Whether postdated tickets are allowed. */
- private boolean isPostdatedAllowed = DEFAULT_TGS_POSTDATED_ALLOWED;
-
- /** Whether renewable tickets are allowed. */
- private boolean isRenewableAllowed = DEFAULT_TGS_RENEWABLE_ALLOWED;
-
- /** Whether to verify the body checksum. */
- private boolean isBodyChecksumVerified = DEFAULT_VERIFY_BODY_CHECKSUM;
+ private static final String SERVICE_NAME = "Keydap Kerberos Service";
/** the cache used for storing AS and TGS requests */
private ReplayCache replayCache;
-
+ private KerberosConfig config;
+
+ private ChangePasswordServer changePwdServer;
+
/**
- * Creates a new instance of KdcConfiguration.
+ * Creates a new instance of KdcServer with the default configuration.
*/
public KdcServer()
{
- super.setServiceName( DEFAULT_NAME );
- super.setServiceId( DEFAULT_PID );
- super.setSearchBaseDn( ServerDNConstants.USER_EXAMPLE_COM_DN );
-
- prepareEncryptionTypes();
- }
-
-
- /**
- * Returns the allowable clock skew.
- *
- * @return The allowable clock skew.
- */
- public long getAllowableClockSkew()
- {
- return allowableClockSkew;
- }
-
-
- /**
- * @return the isEmptyAddressesAllowed
- */
- public boolean isEmptyAddressesAllowed()
- {
- return isEmptyAddressesAllowed;
- }
-
-
- /**
- * @return the isForwardableAllowed
- */
- public boolean isForwardableAllowed()
- {
- return isForwardableAllowed;
- }
-
-
- /**
- * @return the isPostdatedAllowed
- */
- public boolean isPostdatedAllowed()
- {
- return isPostdatedAllowed;
- }
-
-
- /**
- * @return the isProxiableAllowed
- */
- public boolean isProxiableAllowed()
- {
- return isProxiableAllowed;
- }
-
-
- /**
- * @return the isRenewableAllowed
- */
- public boolean isRenewableAllowed()
- {
- return isRenewableAllowed;
- }
-
-
- /**
- * @return the maximumRenewableLifetime
- */
- public long getMaximumRenewableLifetime()
- {
- return maximumRenewableLifetime;
- }
-
-
- /**
- * @return the maximumTicketLifetime
- */
- public long getMaximumTicketLifetime()
- {
- return maximumTicketLifetime;
- }
-
-
- /**
- * @param allowableClockSkew the allowableClockSkew to set
- */
- public void setAllowableClockSkew( long allowableClockSkew )
- {
- this.allowableClockSkew = allowableClockSkew;
- }
-
-
- /**
- * Initialize the encryptionTypes set
- *
- * @param encryptionTypes the encryptionTypes to set
- */
- public void setEncryptionTypes( EncryptionType[] encryptionTypes )
- {
- if ( encryptionTypes != null )
- {
- this.encryptionTypes.clear();
-
- for ( EncryptionType encryptionType : encryptionTypes )
- {
- this.encryptionTypes.add( encryptionType );
- }
- }
+ this( new KerberosConfig() );
}
-
-
+
+
/**
- * Initialize the encryptionTypes set
*
- * @param encryptionTypes the encryptionTypes to set
- */
- public void setEncryptionTypes( List<EncryptionType> encryptionTypes )
- {
- this.encryptionTypes = encryptionTypes;
- }
-
-
- /**
- * @param isEmptyAddressesAllowed the isEmptyAddressesAllowed to set
- */
- public void setEmptyAddressesAllowed( boolean isEmptyAddressesAllowed )
- {
- this.isEmptyAddressesAllowed = isEmptyAddressesAllowed;
- }
-
-
- /**
- * @param isForwardableAllowed the isForwardableAllowed to set
- */
- public void setForwardableAllowed( boolean isForwardableAllowed )
- {
- this.isForwardableAllowed = isForwardableAllowed;
- }
-
-
- /**
- * @param isPaEncTimestampRequired the isPaEncTimestampRequired to set
- */
- public void setPaEncTimestampRequired( boolean isPaEncTimestampRequired )
- {
- this.isPaEncTimestampRequired = isPaEncTimestampRequired;
- }
-
-
- /**
- * @param isPostdatedAllowed the isPostdatedAllowed to set
- */
- public void setPostdatedAllowed( boolean isPostdatedAllowed )
- {
- this.isPostdatedAllowed = isPostdatedAllowed;
- }
-
-
- /**
- * @param isProxiableAllowed the isProxiableAllowed to set
- */
- public void setProxiableAllowed( boolean isProxiableAllowed )
- {
- this.isProxiableAllowed = isProxiableAllowed;
- }
-
-
- /**
- * @param isRenewableAllowed the isRenewableAllowed to set
- */
- public void setRenewableAllowed( boolean isRenewableAllowed )
- {
- this.isRenewableAllowed = isRenewableAllowed;
- }
-
-
- /**
- * @param kdcPrincipal the kdcPrincipal to set
- */
- public void setKdcPrincipal( String kdcPrincipal )
- {
- this.servicePrincipal = kdcPrincipal;
- }
-
-
- /**
- * @param maximumRenewableLifetime the maximumRenewableLifetime to set
- */
- public void setMaximumRenewableLifetime( long maximumRenewableLifetime )
- {
- this.maximumRenewableLifetime = maximumRenewableLifetime;
- }
-
-
- /**
- * @param maximumTicketLifetime the maximumTicketLifetime to set
- */
- public void setMaximumTicketLifetime( long maximumTicketLifetime )
- {
- this.maximumTicketLifetime = maximumTicketLifetime;
- }
-
-
- /**
- * @param primaryRealm the primaryRealm to set
- */
- public void setPrimaryRealm( String primaryRealm )
- {
- this.primaryRealm = primaryRealm;
- }
-
-
- /**
- * Returns the primary realm.
- *
- * @return The primary realm.
- */
- public String getPrimaryRealm()
- {
- return primaryRealm;
- }
-
-
- /**
- * Returns the service principal for this KDC service.
- *
- * @return The service principal for this KDC service.
- */
- public KerberosPrincipal getServicePrincipal()
- {
- return new KerberosPrincipal( servicePrincipal );
- }
-
-
- /**
- * Returns the encryption types.
+ * Creates a new instance of KdcServer with the given config.
*
- * @return The encryption types.
+ * @param config the kerberos server configuration
*/
- public List<EncryptionType> getEncryptionTypes()
+ public KdcServer( KerberosConfig config )
{
- return encryptionTypes;
- }
-
-
- /**
- * Returns whether pre-authentication by encrypted timestamp is required.
- *
- * @return Whether pre-authentication by encrypted timestamp is required.
- */
- public boolean isPaEncTimestampRequired()
- {
- return isPaEncTimestampRequired;
- }
-
-
- /**
- * @return the isBodyChecksumVerified
- */
- public boolean isBodyChecksumVerified()
- {
- return isBodyChecksumVerified;
- }
-
-
- /**
- * @param isBodyChecksumVerified the isBodyChecksumVerified to set
- */
- public void setBodyChecksumVerified( boolean isBodyChecksumVerified )
- {
- this.isBodyChecksumVerified = isBodyChecksumVerified;
+ this.config = config;
+ super.setServiceName( SERVICE_NAME );
+ super.setSearchBaseDn( config.getSearchBaseDn() );
}
@@ -449,78 +106,55 @@ public class KdcServer extends Directory
{
PrincipalStore store;
- // TODO - for now ignoring this catalog crap
- store = new DirectoryPrincipalStore( getDirectoryService(), new Dn( this.getSearchBaseDn() ) );
-
+ store = new DirectoryPrincipalStore( getDirectoryService(), new Dn(this.getSearchBaseDn()) );
+
LOG.debug( "initializing the kerberos replay cache" );
Cache cache = getDirectoryService().getCacheService().getCache( "kdcReplayCache" );
- replayCache = new ReplayCacheImpl( cache, allowableClockSkew );
-
- if ( ( transports == null ) || ( transports.size() == 0 ) )
+ replayCache = new ReplayCacheImpl( cache, config.getAllowableClockSkew() );
+
+ // Kerberos can use UDP or TCP
+ for ( Transport transport:transports )
{
- // Default to UDP with port 88
- // We have to create a DatagramAcceptor
- UdpTransport transport = new UdpTransport( DEFAULT_IP_PORT );
- setTransports( transport );
-
- DatagramAcceptor acceptor = transport.getAcceptor();
-
+ IoAcceptor acceptor = transport.getAcceptor();
+
+ // Now, configure the acceptor
// Inject the chain
- IoFilterChainBuilder udpChainBuilder = new DefaultIoFilterChainBuilder();
-
- ( ( DefaultIoFilterChainBuilder ) udpChainBuilder ).addFirst( "codec",
- new ProtocolCodecFilter(
+ IoFilterChainBuilder chainBuilder = new DefaultIoFilterChainBuilder();
+
+ if ( transport instanceof TcpTransport )
+ {
+ // Now, configure the acceptor
+ // Disable the disconnection of the clients on unbind
+ acceptor.setCloseOnDeactivation( false );
+
+ // No Nagle's algorithm
+ ((NioSocketAcceptor)acceptor).getSessionConfig().setTcpNoDelay( true );
+
+ // Allow the port to be reused even if the socket is in TIME_WAIT state
+ ((NioSocketAcceptor)acceptor).setReuseAddress( true );
+ }
+
+ // Inject the codec
+ ((DefaultIoFilterChainBuilder)chainBuilder).addFirst( "codec",
+ new ProtocolCodecFilter(
KerberosProtocolCodecFactory.getInstance() ) );
-
- acceptor.setFilterChainBuilder( udpChainBuilder );
-
+
+ acceptor.setFilterChainBuilder( chainBuilder );
+
// Inject the protocol handler
acceptor.setHandler( new KerberosProtocolHandler( this, store ) );
-
+
// Bind to the configured address
acceptor.bind();
}
- else
+
+ LOG.info( "Kerberos service started." );
+
+ if( changePwdServer != null )
{
- // Kerberos can use UDP or TCP
- for ( Transport transport : transports )
- {
- IoAcceptor acceptor = transport.getAcceptor();
-
- // Now, configure the acceptor
- // Inject the chain
- IoFilterChainBuilder chainBuilder = new DefaultIoFilterChainBuilder();
-
- if ( transport instanceof TcpTransport )
- {
- // Now, configure the acceptor
- // Disable the disconnection of the clients on unbind
- acceptor.setCloseOnDeactivation( false );
-
- // No Nagle's algorithm
- ( ( NioSocketAcceptor ) acceptor ).getSessionConfig().setTcpNoDelay( true );
-
- // Allow the port to be reused even if the socket is in TIME_WAIT state
- ( ( NioSocketAcceptor ) acceptor ).setReuseAddress( true );
- }
-
- // Inject the codec
- ( ( DefaultIoFilterChainBuilder ) chainBuilder ).addFirst( "codec",
- new ProtocolCodecFilter(
- KerberosProtocolCodecFactory.getInstance() ) );
-
- acceptor.setFilterChainBuilder( chainBuilder );
-
- // Inject the protocol handler
- acceptor.setHandler( new KerberosProtocolHandler( this, store ) );
-
- // Bind to the configured address
- acceptor.bind();
- }
+ changePwdServer.start();
}
-
- LOG.info( "Kerberos service started." );
}
@@ -542,27 +176,49 @@ public class KdcServer extends Directory
}
LOG.info( "Kerberos service stopped." );
+
+ if( changePwdServer != null )
+ {
+ changePwdServer.stop();
+ }
}
/**
- * Construct an HashSet containing the default encryption types
+ * gets the port number on which TCP transport is running
+ * @return the port number if TCP transport is enabled, -1 otherwise
*/
- private void prepareEncryptionTypes()
+ public int getTcpPort()
{
- String[] encryptionTypeStrings = DEFAULT_ENCRYPTION_TYPES;
-
- encryptionTypes = new ArrayList<EncryptionType>();
-
- for ( String enc : encryptionTypeStrings )
+ for( Transport t : transports )
{
- EncryptionType type = EncryptionType.getByName( enc );
-
- if ( !EncryptionType.UNKNOWN.equals( type ) )
+ if ( t instanceof TcpTransport )
{
- encryptionTypes.add( type );
+ return t.getPort();
}
}
+
+ return -1;
+ }
+
+ /**
+ * @return the KDC server configuration
+ */
+ public KerberosConfig getConfig()
+ {
+ return config;
+ }
+
+
+ public ChangePasswordServer getChangePwdServer()
+ {
+ return changePwdServer;
+ }
+
+
+ public void setChangePwdServer( ChangePasswordServer changePwdServer )
+ {
+ this.changePwdServer = changePwdServer;
}
Modified: directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/AuthenticationService.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/AuthenticationService.java?rev=1443107&r1=1443106&r2=1443107&view=diff
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/AuthenticationService.java (original)
+++ directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/AuthenticationService.java Wed Feb 6 18:19:36 2013
@@ -24,6 +24,7 @@ import java.net.InetAddress;
import java.nio.ByteBuffer;
import java.util.Date;
import java.util.List;
+import java.util.Set;
import javax.security.auth.kerberos.KerberosKey;
import javax.security.auth.kerberos.KerberosPrincipal;
@@ -31,8 +32,8 @@ import javax.security.auth.kerberos.Kerb
import org.apache.directory.api.asn1.EncoderException;
import org.apache.directory.api.util.Strings;
import org.apache.directory.server.i18n.I18n;
+import org.apache.directory.server.kerberos.KerberosConfig;
import org.apache.directory.server.kerberos.kdc.KdcContext;
-import org.apache.directory.server.kerberos.kdc.KdcServer;
import org.apache.directory.server.kerberos.protocol.codec.KerberosDecoder;
import org.apache.directory.server.kerberos.sam.SamException;
import org.apache.directory.server.kerberos.sam.SamSubsystem;
@@ -49,6 +50,8 @@ import org.apache.directory.shared.kerbe
import org.apache.directory.shared.kerberos.codec.types.LastReqType;
import org.apache.directory.shared.kerberos.codec.types.PaDataType;
import org.apache.directory.shared.kerberos.components.ETypeInfo;
+import org.apache.directory.shared.kerberos.components.ETypeInfo2;
+import org.apache.directory.shared.kerberos.components.ETypeInfo2Entry;
import org.apache.directory.shared.kerberos.components.ETypeInfoEntry;
import org.apache.directory.shared.kerberos.components.EncKdcRepPart;
import org.apache.directory.shared.kerberos.components.EncTicketPart;
@@ -103,7 +106,7 @@ public class AuthenticationService
{
monitorRequest( authContext );
}
-
+
authContext.setCipherTextHandler( cipherTextHandler );
if ( authContext.getRequest().getProtocolVersionNumber() != KerberosConstants.KERBEROS_V5 )
@@ -116,26 +119,21 @@ public class AuthenticationService
verifyPolicy( authContext );
verifySam( authContext );
verifyEncryptedTimestamp( authContext );
-
- if ( authContext.getClientKey() == null )
- {
- verifyEncryptedTimestamp( authContext );
- }
-
+
getServerEntry( authContext );
generateTicket( authContext );
buildReply( authContext );
}
-
- private static void selectEncryptionType( AuthenticationContext authContext ) throws KerberosException,
- InvalidTicketException
+
+ private static void selectEncryptionType( AuthenticationContext authContext ) throws KerberosException, InvalidTicketException
{
- KdcContext kdcContext = authContext;
- KdcServer config = kdcContext.getConfig();
-
- List<EncryptionType> requestedTypes = kdcContext.getRequest().getKdcReqBody().getEType();
+ KdcContext kdcContext = ( KdcContext ) authContext;
+ KerberosConfig config = kdcContext.getConfig();
+ Set<EncryptionType> requestedTypes = kdcContext.getRequest().getKdcReqBody().getEType();
+ LOG.debug( "Encryption types requested by client {}.", requestedTypes );
+
EncryptionType bestType = KerberosUtils.getBestEncryptionType( requestedTypes, config.getEncryptionTypes() );
LOG.debug( "Session will use encryption type {}.", bestType );
@@ -148,21 +146,19 @@ public class AuthenticationService
kdcContext.setEncryptionType( bestType );
}
-
- private static void getClientEntry( AuthenticationContext authContext ) throws KerberosException,
- InvalidTicketException
+
+ private static void getClientEntry( AuthenticationContext authContext ) throws KerberosException, InvalidTicketException
{
- KerberosPrincipal principal = KerberosUtils.getKerberosPrincipal(
+ KerberosPrincipal principal = KerberosUtils.getKerberosPrincipal(
authContext.getRequest().getKdcReqBody().getCName(), authContext.getRequest().getKdcReqBody().getRealm() );
PrincipalStore store = authContext.getStore();
- PrincipalStoreEntry storeEntry = getEntry( principal, store, ErrorType.KDC_ERR_C_PRINCIPAL_UNKNOWN );
+ PrincipalStoreEntry storeEntry = KerberosUtils.getEntry( principal, store, ErrorType.KDC_ERR_C_PRINCIPAL_UNKNOWN );
authContext.setClientEntry( storeEntry );
}
-
-
- private static void verifyPolicy( AuthenticationContext authContext ) throws KerberosException,
- InvalidTicketException
+
+
+ private static void verifyPolicy( AuthenticationContext authContext ) throws KerberosException, InvalidTicketException
{
PrincipalStoreEntry entry = authContext.getClientEntry();
@@ -181,13 +177,13 @@ public class AuthenticationService
throw new KerberosException( ErrorType.KDC_ERR_CLIENT_REVOKED );
}
}
-
-
+
+
private static void verifySam( AuthenticationContext authContext ) throws KerberosException, InvalidTicketException
{
LOG.debug( "Verifying using SAM subsystem." );
KdcReq request = authContext.getRequest();
- KdcServer config = authContext.getConfig();
+ KerberosConfig config = authContext.getConfig();
PrincipalStoreEntry clientEntry = authContext.getClientEntry();
String clientName = clientEntry.getPrincipal().getName();
@@ -207,8 +203,8 @@ public class AuthenticationService
if ( preAuthData == null || preAuthData.size() == 0 )
{
- throw new KerberosException( ErrorType.KDC_ERR_PREAUTH_REQUIRED, preparePreAuthenticationError(
- request.getKdcReqBody().getEType(), config.getEncryptionTypes() ) );
+ throw new KerberosException( ErrorType.KDC_ERR_PREAUTH_REQUIRED, preparePreAuthenticationError( authContext.getEncryptionType(), config
+ .getEncryptionTypes() ) );
}
try
@@ -238,14 +234,13 @@ public class AuthenticationService
}
}
}
-
-
- private static void verifyEncryptedTimestamp( AuthenticationContext authContext ) throws KerberosException,
- InvalidTicketException
+
+
+ private static void verifyEncryptedTimestamp( AuthenticationContext authContext ) throws KerberosException, InvalidTicketException
{
LOG.debug( "Verifying using encrypted timestamp." );
-
- KdcServer config = authContext.getConfig();
+
+ KerberosConfig config = authContext.getConfig();
KdcReq request = authContext.getRequest();
CipherTextHandler cipherTextHandler = authContext.getCipherTextHandler();
PrincipalStoreEntry clientEntry = authContext.getClientEntry();
@@ -277,8 +272,7 @@ public class AuthenticationService
if ( preAuthData == null )
{
throw new KerberosException( ErrorType.KDC_ERR_PREAUTH_REQUIRED,
- preparePreAuthenticationError( authContext.getRequest().getKdcReqBody().getEType(),
- config.getEncryptionTypes() ) );
+ preparePreAuthenticationError( authContext.getEncryptionType(), config.getEncryptionTypes() ) );
}
PaEncTsEnc timestamp = null;
@@ -288,23 +282,15 @@ public class AuthenticationService
if ( paData.getPaDataType().equals( PaDataType.PA_ENC_TIMESTAMP ) )
{
EncryptedData dataValue = KerberosDecoder.decodeEncryptedData( paData.getPaDataValue() );
- paData.getPaDataType();
- byte[] decryptedData = cipherTextHandler.decrypt( clientKey, dataValue,
- KeyUsage.AS_REQ_PA_ENC_TIMESTAMP_WITH_CKEY );
+ byte[] decryptedData = cipherTextHandler.decrypt( clientKey, dataValue, KeyUsage.AS_REQ_PA_ENC_TIMESTAMP_WITH_CKEY );
timestamp = KerberosDecoder.decodePaEncTsEnc( decryptedData );
}
}
- if ( ( preAuthData.size() > 0 ) && ( timestamp == null ) )
- {
- throw new KerberosException( ErrorType.KDC_ERR_PADATA_TYPE_NOSUPP );
- }
-
if ( timestamp == null )
{
throw new KerberosException( ErrorType.KDC_ERR_PREAUTH_REQUIRED,
- preparePreAuthenticationError( authContext.getRequest().getKdcReqBody().getEType(),
- config.getEncryptionTypes() ) );
+ preparePreAuthenticationError( authContext.getEncryptionType(), config.getEncryptionTypes() ) );
}
if ( !timestamp.getPaTimestamp().isInClockSkew( config.getAllowableClockSkew() ) )
@@ -330,22 +316,19 @@ public class AuthenticationService
LOG.debug( "Pre-authentication by encrypted timestamp successful for {}.", clientName );
}
}
-
-
- private static void getServerEntry( AuthenticationContext authContext ) throws KerberosException,
- InvalidTicketException
+
+
+ private static void getServerEntry( AuthenticationContext authContext ) throws KerberosException, InvalidTicketException
{
PrincipalName principal = authContext.getRequest().getKdcReqBody().getSName();
PrincipalStore store = authContext.getStore();
-
- KerberosPrincipal principalWithRealm = new KerberosPrincipal( principal.getNameString() + "@"
- + authContext.getRequest().getKdcReqBody().getRealm() );
- authContext.setServerEntry( getEntry( principalWithRealm, store, ErrorType.KDC_ERR_S_PRINCIPAL_UNKNOWN ) );
- }
-
-
- private static void generateTicket( AuthenticationContext authContext ) throws KerberosException,
- InvalidTicketException
+
+ KerberosPrincipal principalWithRealm = new KerberosPrincipal( principal.getNameString() + "@" + authContext.getRequest().getKdcReqBody().getRealm() );
+ authContext.setServerEntry( KerberosUtils.getEntry( principalWithRealm, store, ErrorType.KDC_ERR_S_PRINCIPAL_UNKNOWN ) );
+ }
+
+
+ private static void generateTicket( AuthenticationContext authContext ) throws KerberosException, InvalidTicketException
{
KdcReq request = authContext.getRequest();
CipherTextHandler cipherTextHandler = authContext.getCipherTextHandler();
@@ -355,9 +338,9 @@ public class AuthenticationService
EncryptionKey serverKey = authContext.getServerEntry().getKeyMap().get( encryptionType );
PrincipalName ticketPrincipal = request.getKdcReqBody().getSName();
-
+
EncTicketPart encTicketPart = new EncTicketPart();
- KdcServer config = authContext.getConfig();
+ KerberosConfig config = authContext.getConfig();
// The INITIAL flag indicates that a ticket was issued using the AS protocol.
TicketFlags ticketFlags = new TicketFlags();
@@ -400,9 +383,9 @@ public class AuthenticationService
ticketFlags.setFlag( TicketFlag.MAY_POSTDATE );
}
- if ( request.getKdcReqBody().getKdcOptions().get( KdcOptions.RENEW )
+ if ( request.getKdcReqBody().getKdcOptions().get( KdcOptions.RENEW )
|| request.getKdcReqBody().getKdcOptions().get( KdcOptions.VALIDATE )
- || request.getKdcReqBody().getKdcOptions().get( KdcOptions.PROXY )
+ || request.getKdcReqBody().getKdcOptions().get( KdcOptions.PROXY )
|| request.getKdcReqBody().getKdcOptions().get( KdcOptions.FORWARDED )
|| request.getKdcReqBody().getKdcOptions().get( KdcOptions.ENC_TKT_IN_SKEY ) )
{
@@ -441,7 +424,7 @@ public class AuthenticationService
* KDC_ERR_CANNOT_POSTDATE is returned."
*/
if ( startTime != null && startTime.greaterThan( now )
- && !startTime.isInClockSkew( config.getAllowableClockSkew() )
+ && !startTime.isInClockSkew( config.getAllowableClockSkew() )
&& !request.getKdcReqBody().getKdcOptions().get( KdcOptions.POSTDATED ) )
{
throw new KerberosException( ErrorType.KDC_ERR_CANNOT_POSTDATE );
@@ -465,7 +448,7 @@ public class AuthenticationService
}
long till = 0;
-
+
if ( request.getKdcReqBody().getTill().getTime() == 0 )
{
till = Long.MAX_VALUE;
@@ -494,8 +477,8 @@ public class AuthenticationService
}
long ticketLifeTime = Math.abs( startTime.getTime() - kerberosEndTime.getTime() );
-
- if ( ticketLifeTime < config.getAllowableClockSkew() )
+
+ if ( ticketLifeTime < config.getMinimumTicketLifetime() )
{
throw new KerberosException( ErrorType.KDC_ERR_NEVER_VALID );
}
@@ -587,6 +570,7 @@ public class AuthenticationService
reply.setTicket( ticket );
EncKdcRepPart encKdcRepPart = new EncKdcRepPart();
+ //session key
encKdcRepPart.setKey( ticket.getEncTicketPart().getKey() );
// TODO - fetch lastReq for this client; requires store
@@ -625,8 +609,9 @@ public class AuthenticationService
EncryptedData encryptedData = cipherTextHandler.seal( clientKey, encAsRepPart,
KeyUsage.AS_REP_ENC_PART_WITH_CKEY );
reply.setEncPart( encryptedData );
+ //FIXME the below setter is useless, remove it
reply.setEncKdcRepPart( encKdcRepPart );
-
+
authContext.setReply( reply );
}
@@ -750,40 +735,8 @@ public class AuthenticationService
}
}
}
-
-
- /**
- * Get a PrincipalStoreEntry given a principal. The ErrorType is used to indicate
- * whether any resulting error pertains to a server or client.
- */
- private static PrincipalStoreEntry getEntry( KerberosPrincipal principal, PrincipalStore store, ErrorType errorType )
- throws KerberosException
- {
- PrincipalStoreEntry entry = null;
-
- try
- {
- entry = store.getPrincipal( principal );
- }
- catch ( Exception e )
- {
- throw new KerberosException( errorType, e );
- }
-
- if ( entry == null )
- {
- throw new KerberosException( errorType );
- }
-
- if ( entry.getKeyMap() == null || entry.getKeyMap().isEmpty() )
- {
- throw new KerberosException( ErrorType.KDC_ERR_NULL_KEY );
- }
-
- return entry;
- }
-
-
+
+
/**
* Prepares a pre-authentication error message containing required
* encryption types.
@@ -791,45 +744,56 @@ public class AuthenticationService
* @param encryptionTypes
* @return The error message as bytes.
*/
- private static byte[] preparePreAuthenticationError( List<EncryptionType> clientEncryptionTypes,
- List<EncryptionType> serverEncryptionTypes )
+ private static byte[] preparePreAuthenticationError( EncryptionType requestedType, Set<EncryptionType> encryptionTypes )
{
- PaData[] paDataSequence = new PaData[2];
-
- PaData paData = new PaData();
- paData.setPaDataType( PaDataType.PA_ENC_TIMESTAMP );
- paData.setPaDataValue( Strings.EMPTY_BYTES );
-
- paDataSequence[0] = paData;
-
+ boolean isNewEtype = KerberosUtils.isNewEncryptionType( requestedType );
+
+ ETypeInfo2 eTypeInfo2 = new ETypeInfo2();
+
ETypeInfo eTypeInfo = new ETypeInfo();
-
- for ( EncryptionType encryptionType : clientEncryptionTypes )
+
+ for ( EncryptionType encryptionType : encryptionTypes )
{
- if ( serverEncryptionTypes.contains( encryptionType ) )
+ if ( !isNewEtype )
{
ETypeInfoEntry etypeInfoEntry = new ETypeInfoEntry( encryptionType, null );
eTypeInfo.addETypeInfoEntry( etypeInfoEntry );
}
+
+ ETypeInfo2Entry etypeInfo2Entry = new ETypeInfo2Entry( encryptionType );
+ eTypeInfo2.addETypeInfo2Entry( etypeInfo2Entry );
}
byte[] encTypeInfo = null;
-
+ byte[] encTypeInfo2 = null;
try
{
- ByteBuffer buffer = ByteBuffer.allocate( eTypeInfo.computeLength() );
- encTypeInfo = eTypeInfo.encode( buffer ).array();
+ if ( !isNewEtype )
+ {
+ ByteBuffer buffer = ByteBuffer.allocate( eTypeInfo.computeLength() );
+ encTypeInfo = eTypeInfo.encode( buffer ).array();
+ }
+
+ ByteBuffer buffer = ByteBuffer.allocate( eTypeInfo2.computeLength() );
+ encTypeInfo2 = eTypeInfo2.encode( buffer ).array();
}
catch ( EncoderException ioe )
{
return null;
}
- PaData responsePaData = new PaData( PaDataType.PA_ENCTYPE_INFO, encTypeInfo );
-
MethodData methodData = new MethodData();
- methodData.addPaData( responsePaData );
-
+
+ methodData.addPaData( new PaData( PaDataType.PA_ENC_TIMESTAMP, null ) );
+
+ if ( !isNewEtype )
+ {
+ methodData.addPaData( new PaData( PaDataType.PA_ENCTYPE_INFO, encTypeInfo ) );
+ }
+
+ methodData.addPaData( new PaData( PaDataType.PA_ENCTYPE_INFO2, encTypeInfo2 ) );
+
+
try
{
ByteBuffer buffer = ByteBuffer.allocate( methodData.computeLength() );
@@ -837,6 +801,7 @@ public class AuthenticationService
}
catch ( EncoderException ee )
{
+ LOG.warn( "Failed to encode the etype information", ee );
return null;
}
}
Modified: directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/TicketGrantingService.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/TicketGrantingService.java?rev=1443107&r1=1443106&r2=1443107&view=diff
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/TicketGrantingService.java (original)
+++ directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/TicketGrantingService.java Wed Feb 6 18:19:36 2013
@@ -25,10 +25,13 @@ import java.nio.ByteBuffer;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
+import java.util.Set;
+
import javax.security.auth.kerberos.KerberosPrincipal;
import org.apache.directory.api.asn1.EncoderException;
import org.apache.directory.server.i18n.I18n;
+import org.apache.directory.server.kerberos.KerberosConfig;
import org.apache.directory.server.kerberos.kdc.KdcContext;
import org.apache.directory.server.kerberos.kdc.KdcServer;
import org.apache.directory.server.kerberos.protocol.codec.KerberosDecoder;
@@ -46,6 +49,7 @@ import org.apache.directory.shared.kerbe
import org.apache.directory.shared.kerberos.codec.options.ApOptions;
import org.apache.directory.shared.kerberos.codec.options.KdcOptions;
import org.apache.directory.shared.kerberos.codec.types.EncryptionType;
+import org.apache.directory.shared.kerberos.codec.types.LastReqType;
import org.apache.directory.shared.kerberos.codec.types.PaDataType;
import org.apache.directory.shared.kerberos.components.AuthorizationData;
import org.apache.directory.shared.kerberos.components.Checksum;
@@ -58,6 +62,7 @@ import org.apache.directory.shared.kerbe
import org.apache.directory.shared.kerberos.components.KdcReq;
import org.apache.directory.shared.kerberos.components.KdcReqBody;
import org.apache.directory.shared.kerberos.components.LastReq;
+import org.apache.directory.shared.kerberos.components.LastReqEntry;
import org.apache.directory.shared.kerberos.components.PaData;
import org.apache.directory.shared.kerberos.components.PrincipalName;
import org.apache.directory.shared.kerberos.crypto.checksum.ChecksumType;
@@ -100,7 +105,8 @@ public class TicketGrantingService
configureTicketGranting( tgsContext );
selectEncryptionType( tgsContext );
getAuthHeader( tgsContext );
- verifyTgt( tgsContext );
+ // commenting to allow cross-realm auth
+ //verifyTgt( tgsContext );
getTicketPrincipalEntry( tgsContext );
verifyTgtAuthHeader( tgsContext );
verifyBodyChecksum( tgsContext );
@@ -159,10 +165,10 @@ public class TicketGrantingService
private static void selectEncryptionType( TicketGrantingContext tgsContext ) throws Exception
{
- KdcContext kdcContext = tgsContext;
- KdcServer config = kdcContext.getConfig();
+ KdcContext kdcContext = (KdcContext)tgsContext;
+ KerberosConfig config = kdcContext.getConfig();
- List<EncryptionType> requestedTypes = kdcContext.getRequest().getKdcReqBody().getEType();
+ Set<EncryptionType> requestedTypes = kdcContext.getRequest().getKdcReqBody().getEType();
EncryptionType bestType = KerberosUtils.getBestEncryptionType( requestedTypes, config.getEncryptionTypes() );
@@ -212,7 +218,7 @@ public class TicketGrantingService
public static void verifyTgt( TicketGrantingContext tgsContext ) throws KerberosException
{
- KdcServer config = tgsContext.getConfig();
+ KerberosConfig config = tgsContext.getConfig();
Ticket tgt = tgsContext.getTgt();
// Check primary realm.
@@ -254,21 +260,21 @@ public class TicketGrantingService
{
ApReq authHeader = tgsContext.getAuthHeader();
Ticket tgt = tgsContext.getTgt();
-
- boolean isValidate = tgsContext.getRequest().getKdcReqBody().getKdcOptions().get( KdcOptions.VALIDATE );
+
+ KdcOptions kdcOptions = tgsContext.getRequest().getKdcReqBody().getKdcOptions();
+ boolean isValidate = kdcOptions.get( KdcOptions.VALIDATE );
EncryptionType encryptionType = tgt.getEncPart().getEType();
EncryptionKey serverKey = tgsContext.getTicketPrincipalEntry().getKeyMap().get( encryptionType );
long clockSkew = tgsContext.getConfig().getAllowableClockSkew();
- ReplayCache replayCache = tgsContext.getConfig().getReplayCache();
+ ReplayCache replayCache = tgsContext.getReplayCache();
boolean emptyAddressesAllowed = tgsContext.getConfig().isEmptyAddressesAllowed();
InetAddress clientAddress = tgsContext.getClientAddress();
CipherTextHandler cipherTextHandler = tgsContext.getCipherTextHandler();
- Authenticator authenticator = verifyAuthHeader( authHeader, tgt, serverKey, clockSkew, replayCache,
- emptyAddressesAllowed, clientAddress, cipherTextHandler,
- KeyUsage.TGS_REQ_PA_TGS_REQ_PADATA_AP_REQ_TGS_SESS_KEY, isValidate );
+ Authenticator authenticator = KerberosUtils.verifyAuthHeader( authHeader, tgt, serverKey, clockSkew, replayCache,
+ emptyAddressesAllowed, clientAddress, cipherTextHandler, KeyUsage.TGS_REQ_PA_TGS_REQ_PADATA_AP_REQ_TGS_SESS_KEY, isValidate );
tgsContext.setAuthenticator( authenticator );
}
@@ -281,7 +287,7 @@ public class TicketGrantingService
*/
private static void verifyBodyChecksum( TicketGrantingContext tgsContext ) throws KerberosException
{
- KdcServer config = tgsContext.getConfig();
+ KerberosConfig config = tgsContext.getConfig();
if ( config.isBodyChecksumVerified() )
{
@@ -302,21 +308,24 @@ public class TicketGrantingService
byte[] bodyBytes = buf.array();
Checksum authenticatorChecksum = tgsContext.getAuthenticator().getCksum();
- // we need the session key
- Ticket tgt = tgsContext.getTgt();
- EncTicketPart encTicketPart = tgt.getEncTicketPart();
- EncryptionKey sessionKey = encTicketPart.getKey();
-
- if ( authenticatorChecksum == null || authenticatorChecksum.getChecksumType() == null
- || authenticatorChecksum.getChecksumValue() == null || bodyBytes == null )
+ if ( authenticatorChecksum != null )
{
- throw new KerberosException( ErrorType.KRB_AP_ERR_INAPP_CKSUM );
+ // we need the session key
+ Ticket tgt = tgsContext.getTgt();
+ EncTicketPart encTicketPart = tgt.getEncTicketPart();
+ EncryptionKey sessionKey = encTicketPart.getKey();
+
+ if ( authenticatorChecksum == null || authenticatorChecksum.getChecksumType() == null
+ || authenticatorChecksum.getChecksumValue() == null || bodyBytes == null )
+ {
+ throw new KerberosException( ErrorType.KRB_AP_ERR_INAPP_CKSUM );
+ }
+
+ LOG.debug( "Verifying body checksum type '{}'.", authenticatorChecksum.getChecksumType() );
+
+ checksumHandler.verifyChecksum( authenticatorChecksum, bodyBytes, sessionKey.getKeyValue(),
+ KeyUsage.TGS_REQ_PA_TGS_REQ_PADATA_AP_REQ_AUTHNT_CKSUM_TGS_SESS_KEY );
}
-
- LOG.debug( "Verifying body checksum type '{}'.", authenticatorChecksum.getChecksumType() );
-
- checksumHandler.verifyChecksum( authenticatorChecksum, bodyBytes, sessionKey.getKeyValue(),
- KeyUsage.TGS_REQ_PA_TGS_REQ_PADATA_AP_REQ_AUTHNT_CKSUM_TGS_SESS_KEY );
}
}
@@ -345,8 +354,10 @@ public class TicketGrantingService
EncryptionType encryptionType = tgsContext.getEncryptionType();
EncryptionKey serverKey = tgsContext.getRequestPrincipalEntry().getKeyMap().get( encryptionType );
- KdcServer config = tgsContext.getConfig();
+ KerberosConfig config = tgsContext.getConfig();
+ tgsContext.getRequest().getKdcReqBody().getAdditionalTickets();
+
EncTicketPart newTicketPart = new EncTicketPart();
newTicketPart.setClientAddresses( tgt.getEncTicketPart().getClientAddresses() );
@@ -374,6 +385,21 @@ public class TicketGrantingService
if ( request.getKdcReqBody().getKdcOptions().get( KdcOptions.ENC_TKT_IN_SKEY ) )
{
+ Ticket[] additionalTkts = tgsContext.getRequest().getKdcReqBody().getAdditionalTickets();
+
+ if( additionalTkts == null || additionalTkts.length == 0 )
+ {
+ throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
+ }
+
+ Ticket additionalTgt = additionalTkts[0];
+ // reject if it is not a TGT
+ if( !additionalTgt.getEncTicketPart().getFlags().isInitial() )
+ {
+ throw new KerberosException( ErrorType.KDC_ERR_POLICY );
+ }
+
+ serverKey = additionalTgt.getEncTicketPart().getKey();
/*
* if (server not specified) then
* server = req.second_ticket.client;
@@ -386,19 +412,16 @@ public class TicketGrantingService
*
* new_tkt.enc-part := encrypt OCTET STRING using etype_for_key(second-ticket.key), second-ticket.key;
*/
- throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
- }
- else
- {
- EncryptedData encryptedData = cipherTextHandler.seal( serverKey, newTicketPart,
- KeyUsage.AS_OR_TGS_REP_TICKET_WITH_SRVKEY );
-
- Ticket newTicket = new Ticket( request.getKdcReqBody().getSName(), encryptedData );
- newTicket.setEncTicketPart( newTicketPart );
- newTicket.setRealm( request.getKdcReqBody().getRealm() );
-
- tgsContext.setNewTicket( newTicket );
+ //throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
}
+
+ EncryptedData encryptedData = cipherTextHandler.seal( serverKey, newTicketPart, KeyUsage.AS_OR_TGS_REP_TICKET_WITH_SRVKEY );
+
+ Ticket newTicket = new Ticket( request.getKdcReqBody().getSName(), encryptedData );
+ newTicket.setEncTicketPart( newTicketPart );
+ newTicket.setRealm( request.getKdcReqBody().getRealm() );
+
+ tgsContext.setNewTicket( newTicket );
}
@@ -419,7 +442,11 @@ public class TicketGrantingService
encKdcRepPart.setKey( newTicket.getEncTicketPart().getKey() );
encKdcRepPart.setNonce( request.getKdcReqBody().getNonce() );
// TODO - resp.last-req := fetch_last_request_info(client); requires store
- encKdcRepPart.setLastReq( new LastReq() );
+ // FIXME temporary fix, IMO we should create some new ATs to store this info in DIT
+ LastReq lastReq = new LastReq();
+ lastReq.addEntry( new LastReqEntry( LastReqType.TIME_OF_INITIAL_REQ, new KerberosTime() ) );
+ encKdcRepPart.setLastReq( lastReq );
+
encKdcRepPart.setFlags( newTicket.getEncTicketPart().getFlags() );
encKdcRepPart.setClientAddresses( newTicket.getEncTicketPart().getClientAddresses() );
encKdcRepPart.setAuthTime( newTicket.getEncTicketPart().getAuthTime() );
@@ -470,7 +497,15 @@ public class TicketGrantingService
{
Ticket tgt = tgsContext.getTgt();
long clockSkew = tgsContext.getConfig().getAllowableClockSkew();
- ChecksumType checksumType = tgsContext.getAuthenticator().getCksum().getChecksumType();
+
+ Checksum cksum = tgsContext.getAuthenticator().getCksum();
+
+ ChecksumType checksumType = null;
+ if ( cksum != null )
+ {
+ checksumType = cksum.getChecksumType();
+ }
+
InetAddress clientAddress = tgsContext.getClientAddress();
HostAddresses clientAddresses = tgt.getEncTicketPart().getClientAddresses();
@@ -553,8 +588,8 @@ public class TicketGrantingService
}
}
-
- private static void processFlags( KdcServer config, KdcReq request, Ticket tgt,
+
+ private static void processFlags( KerberosConfig config, KdcReq request, Ticket tgt,
EncTicketPart newTicketPart ) throws KerberosException
{
if ( tgt.getEncTicketPart().getFlags().isPreAuth() )
@@ -749,7 +784,7 @@ public class TicketGrantingService
}
- private static void processTimes( KdcServer config, KdcReq request, EncTicketPart newTicketPart,
+ private static void processTimes( KerberosConfig config, KdcReq request, EncTicketPart newTicketPart,
Ticket tgt ) throws KerberosException
{
KerberosTime now = new KerberosTime();
@@ -1001,142 +1036,4 @@ public class TicketGrantingService
return entry;
}
-
- /**
- * Verifies an AuthHeader using guidelines from RFC 1510 section A.10., "KRB_AP_REQ verification."
- *
- * @param authHeader
- * @param ticket
- * @param serverKey
- * @param clockSkew
- * @param replayCache
- * @param emptyAddressesAllowed
- * @param clientAddress
- * @param lockBox
- * @param authenticatorKeyUsage
- * @param isValidate
- * @return The authenticator.
- * @throws KerberosException
- */
- public static Authenticator verifyAuthHeader( ApReq authHeader, Ticket ticket, EncryptionKey serverKey,
- long clockSkew, ReplayCache replayCache, boolean emptyAddressesAllowed, InetAddress clientAddress,
- CipherTextHandler lockBox, KeyUsage authenticatorKeyUsage, boolean isValidate ) throws KerberosException
- {
- if ( authHeader.getProtocolVersionNumber() != KerberosConstants.KERBEROS_V5 )
- {
- throw new KerberosException( ErrorType.KRB_AP_ERR_BADVERSION );
- }
-
- if ( authHeader.getMessageType() != KerberosMessageType.AP_REQ )
- {
- throw new KerberosException( ErrorType.KRB_AP_ERR_MSG_TYPE );
- }
-
- if ( authHeader.getTicket().getTktVno() != KerberosConstants.KERBEROS_V5 )
- {
- throw new KerberosException( ErrorType.KRB_AP_ERR_BADVERSION );
- }
-
- EncryptionKey ticketKey = null;
-
- if ( authHeader.getOption( ApOptions.USE_SESSION_KEY ) )
- {
- ticketKey = authHeader.getTicket().getEncTicketPart().getKey();
- }
- else
- {
- ticketKey = serverKey;
- }
-
- if ( ticketKey == null )
- {
- // TODO - check server key version number, skvno; requires store
- // if ( false )
- // {
- // throw new KerberosException( ErrorType.KRB_AP_ERR_BADKEYVER );
- // }
-
- throw new KerberosException( ErrorType.KRB_AP_ERR_NOKEY );
- }
-
- byte[] encTicketPartData = lockBox.decrypt( ticketKey, ticket.getEncPart(),
- KeyUsage.AS_OR_TGS_REP_TICKET_WITH_SRVKEY );
- EncTicketPart encPart = KerberosDecoder.decodeEncTicketPart( encTicketPartData );
- ticket.setEncTicketPart( encPart );
-
- byte[] authenticatorData = lockBox.decrypt( ticket.getEncTicketPart().getKey(), authHeader.getAuthenticator(),
- authenticatorKeyUsage );
-
- Authenticator authenticator = KerberosDecoder.decodeAuthenticator( authenticatorData );
-
- if ( !authenticator.getCName().getNameString().equals( ticket.getEncTicketPart().getCName().getNameString() ) )
- {
- throw new KerberosException( ErrorType.KRB_AP_ERR_BADMATCH );
- }
-
- if ( ticket.getEncTicketPart().getClientAddresses() != null )
- {
- if ( !ticket.getEncTicketPart().getClientAddresses().contains( new HostAddress( clientAddress ) ) )
- {
- throw new KerberosException( ErrorType.KRB_AP_ERR_BADADDR );
- }
- }
- else
- {
- if ( !emptyAddressesAllowed )
- {
- throw new KerberosException( ErrorType.KRB_AP_ERR_BADADDR );
- }
- }
-
- KerberosPrincipal serverPrincipal = KerberosUtils.getKerberosPrincipal( ticket.getSName(), ticket.getRealm() );
- KerberosPrincipal clientPrincipal = KerberosUtils.getKerberosPrincipal( authenticator.getCName(),
- authenticator.getCRealm() );
- KerberosTime clientTime = authenticator.getCtime();
- int clientMicroSeconds = authenticator.getCusec();
-
- if ( replayCache != null )
- {
- if ( replayCache.isReplay( serverPrincipal, clientPrincipal, clientTime, clientMicroSeconds ) )
- {
- throw new KerberosException( ErrorType.KRB_AP_ERR_REPEAT );
- }
-
- replayCache.save( serverPrincipal, clientPrincipal, clientTime, clientMicroSeconds );
- }
-
- if ( !authenticator.getCtime().isInClockSkew( clockSkew ) )
- {
- throw new KerberosException( ErrorType.KRB_AP_ERR_SKEW );
- }
-
- /*
- * "The server computes the age of the ticket: local (server) time minus
- * the starttime inside the Ticket. If the starttime is later than the
- * current time by more than the allowable clock skew, or if the INVALID
- * flag is set in the ticket, the KRB_AP_ERR_TKT_NYV error is returned."
- */
- KerberosTime startTime = ( ticket.getEncTicketPart().getStartTime() != null ) ? ticket.getEncTicketPart()
- .getStartTime() : ticket.getEncTicketPart().getAuthTime();
-
- KerberosTime now = new KerberosTime();
- boolean isValidStartTime = startTime.lessThan( now );
-
- if ( !isValidStartTime || ( ticket.getEncTicketPart().getFlags().isInvalid() && !isValidate ) )
- {
- // it hasn't yet become valid
- throw new KerberosException( ErrorType.KRB_AP_ERR_TKT_NYV );
- }
-
- // TODO - doesn't take into account skew
- if ( !ticket.getEncTicketPart().getEndTime().greaterThan( now ) )
- {
- throw new KerberosException( ErrorType.KRB_AP_ERR_TKT_EXPIRED );
- }
-
- authHeader.getApOptions().set( ApOptions.MUTUAL_REQUIRED );
-
- return authenticator;
- }
-
}
Modified: directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/protocol/KerberosProtocolHandler.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/protocol/KerberosProtocolHandler.java?rev=1443107&r1=1443106&r2=1443107&view=diff
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/protocol/KerberosProtocolHandler.java (original)
+++ directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/protocol/KerberosProtocolHandler.java Wed Feb 6 18:19:36 2013
@@ -26,6 +26,7 @@ import java.net.InetSocketAddress;
import javax.security.auth.kerberos.KerberosPrincipal;
import org.apache.directory.server.i18n.I18n;
+import org.apache.directory.server.kerberos.KerberosConfig;
import org.apache.directory.server.kerberos.kdc.KdcServer;
import org.apache.directory.server.kerberos.kdc.authentication.AuthenticationContext;
import org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService;
@@ -57,8 +58,8 @@ public class KerberosProtocolHandler imp
/** The logger for this class */
private static final Logger log = LoggerFactory.getLogger( KerberosProtocolHandler.class );
- /** The KDC server instance */
- private KdcServer config;
+ /** The KDC server */
+ private KdcServer kdcServer;
/** The principal Name store */
private PrincipalStore store;
@@ -69,12 +70,12 @@ public class KerberosProtocolHandler imp
/**
* Creates a new instance of KerberosProtocolHandler.
*
- * @param config
+ * @param kdcServer
* @param store
*/
- public KerberosProtocolHandler( KdcServer config, PrincipalStore store )
+ public KerberosProtocolHandler( KdcServer kdcServer, PrincipalStore store )
{
- this.config = config;
+ this.kdcServer = kdcServer;
this.store = store;
}
@@ -135,7 +136,7 @@ public class KerberosProtocolHandler imp
{
log.error( I18n.err( I18n.ERR_152, ErrorType.KRB_AP_ERR_BADDIRECTION ) );
- session.write( getErrorMessage( config.getServicePrincipal(), new KerberosException(
+ session.write( getErrorMessage( kdcServer.getConfig().getServicePrincipal(), new KerberosException(
ErrorType.KRB_AP_ERR_BADDIRECTION ) ) );
return;
}
@@ -150,7 +151,7 @@ public class KerberosProtocolHandler imp
{
case AS_REQ:
AuthenticationContext authContext = new AuthenticationContext();
- authContext.setConfig( config );
+ authContext.setConfig( kdcServer.getConfig() );
authContext.setStore( store );
authContext.setClientAddress( clientAddress );
authContext.setRequest( request );
@@ -163,7 +164,8 @@ public class KerberosProtocolHandler imp
case TGS_REQ:
TicketGrantingContext tgsContext = new TicketGrantingContext();
- tgsContext.setConfig( config );
+ tgsContext.setConfig( kdcServer.getConfig() );
+ tgsContext.setReplayCache( kdcServer.getReplayCache() );
tgsContext.setStore( store );
tgsContext.setClientAddress( clientAddress );
tgsContext.setRequest( request );
@@ -195,7 +197,7 @@ public class KerberosProtocolHandler imp
log.warn( messageText );
}
- KrbError error = getErrorMessage( config.getServicePrincipal(), ke );
+ KrbError error = getErrorMessage( kdcServer.getConfig().getServicePrincipal(), ke );
if ( log.isDebugEnabled() )
{
@@ -208,7 +210,7 @@ public class KerberosProtocolHandler imp
{
log.error( I18n.err( I18n.ERR_152, e.getLocalizedMessage() ), e );
- session.write( getErrorMessage( config.getServicePrincipal(), new KerberosException(
+ session.write( getErrorMessage( kdcServer.getConfig().getServicePrincipal(), new KerberosException(
ErrorType.KDC_ERR_SVC_UNAVAILABLE ) ) );
}
}
Added: directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/protocol/codec/KerberosProtocolCodecFactory.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/protocol/codec/KerberosProtocolCodecFactory.java?rev=1443107&view=auto
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/protocol/codec/KerberosProtocolCodecFactory.java (added)
+++ directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/protocol/codec/KerberosProtocolCodecFactory.java Wed Feb 6 18:19:36 2013
@@ -0,0 +1,66 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.server.kerberos.protocol.codec;
+
+
+import org.apache.mina.core.session.IoSession;
+import org.apache.mina.filter.codec.ProtocolCodecFactory;
+import org.apache.mina.filter.codec.ProtocolDecoder;
+import org.apache.mina.filter.codec.ProtocolEncoder;
+
+
+/**
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ */
+public class KerberosProtocolCodecFactory implements ProtocolCodecFactory
+{
+ private static final KerberosProtocolCodecFactory INSTANCE = new KerberosProtocolCodecFactory();
+
+
+ /**
+ * Returns the singleton {@link KerberosProtocolCodecFactory}.
+ *
+ * @return The singleton {@link KerberosProtocolCodecFactory}.
+ */
+ public static KerberosProtocolCodecFactory getInstance()
+ {
+ return INSTANCE;
+ }
+
+
+ private KerberosProtocolCodecFactory()
+ {
+ // Private constructor prevents instantiation outside this class.
+ }
+
+
+ public ProtocolEncoder getEncoder( IoSession session )
+ {
+ // Create a new encoder.
+ return new MinaKerberosEncoder();
+ }
+
+
+ public ProtocolDecoder getDecoder( IoSession session )
+ {
+ // Create a new decoder.
+ return new MinaKerberosDecoder();
+ }
+}
Added: directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/protocol/codec/MinaKerberosDecoder.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/protocol/codec/MinaKerberosDecoder.java?rev=1443107&view=auto
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/protocol/codec/MinaKerberosDecoder.java (added)
+++ directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/protocol/codec/MinaKerberosDecoder.java Wed Feb 6 18:19:36 2013
@@ -0,0 +1,48 @@
+
+package org.apache.directory.server.kerberos.protocol.codec;
+
+import java.nio.ByteBuffer;
+
+import org.apache.directory.api.asn1.ber.Asn1Decoder;
+import org.apache.directory.shared.kerberos.codec.KerberosMessageContainer;
+import org.apache.mina.core.buffer.IoBuffer;
+import org.apache.mina.core.session.IoSession;
+import org.apache.mina.filter.codec.ProtocolDecoderAdapter;
+import org.apache.mina.filter.codec.ProtocolDecoderOutput;
+
+public class MinaKerberosDecoder extends ProtocolDecoderAdapter
+{
+ /** the key used while storing message container in the session */
+ private static final String KERBEROS_MESSAGE_CONTAINER = "kerberosMessageContainer";
+
+ /** The ASN 1 decoder instance */
+ private Asn1Decoder asn1Decoder = new Asn1Decoder();
+
+ @Override
+ public void decode( IoSession session, IoBuffer in, ProtocolDecoderOutput out ) throws Exception
+ {
+ ByteBuffer buf = in.buf();
+
+ KerberosMessageContainer kerberosMessageContainer = ( KerberosMessageContainer ) session.getAttribute( KERBEROS_MESSAGE_CONTAINER );
+
+ if ( kerberosMessageContainer == null )
+ {
+ kerberosMessageContainer = new KerberosMessageContainer();
+ session.setAttribute( KERBEROS_MESSAGE_CONTAINER, kerberosMessageContainer );
+ kerberosMessageContainer.setStream( buf );
+ kerberosMessageContainer.setGathering( true );
+ kerberosMessageContainer.setTCP( !session.getTransportMetadata().isConnectionless() );
+ }
+
+ try
+ {
+ Object obj = KerberosDecoder.decode( kerberosMessageContainer, asn1Decoder );
+ out.write( obj );
+ }
+ finally
+ {
+ session.removeAttribute( KERBEROS_MESSAGE_CONTAINER );
+ }
+ }
+
+}
Added: directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/protocol/codec/MinaKerberosEncoder.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/protocol/codec/MinaKerberosEncoder.java?rev=1443107&view=auto
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/protocol/codec/MinaKerberosEncoder.java (added)
+++ directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/protocol/codec/MinaKerberosEncoder.java Wed Feb 6 18:19:36 2013
@@ -0,0 +1,27 @@
+
+package org.apache.directory.server.kerberos.protocol.codec;
+
+import java.nio.ByteBuffer;
+
+import org.apache.directory.api.asn1.AbstractAsn1Object;
+import org.apache.mina.core.buffer.IoBuffer;
+import org.apache.mina.core.session.IoSession;
+import org.apache.mina.filter.codec.ProtocolEncoderAdapter;
+import org.apache.mina.filter.codec.ProtocolEncoderOutput;
+
+public class MinaKerberosEncoder extends ProtocolEncoderAdapter
+{
+
+ @Override
+ public void encode( IoSession session, Object message, ProtocolEncoderOutput out ) throws Exception
+ {
+ AbstractAsn1Object asn1Obj = ( AbstractAsn1Object ) message;
+ boolean isTcp = !session.getTransportMetadata().isConnectionless();
+
+ ByteBuffer encodedByteBuf = KerberosEncoder.encode( asn1Obj, isTcp );
+ IoBuffer buf = IoBuffer.allocate( encodedByteBuf.remaining() );
+ buf.put( encodedByteBuf.array() );
+ buf.flip();
+ out.write( buf );
+ }
+}
Modified: directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/AbstractAuthenticationServiceTest.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/AbstractAuthenticationServiceTest.java?rev=1443107&r1=1443106&r2=1443107&view=diff
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/AbstractAuthenticationServiceTest.java (original)
+++ directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/AbstractAuthenticationServiceTest.java Wed Feb 6 18:19:36 2013
@@ -59,26 +59,25 @@ public abstract class AbstractAuthentica
protected static final SecureRandom random = new SecureRandom();
- protected PaData[] getPreAuthEncryptedTimeStamp( KerberosPrincipal clientPrincipal, String passPhrase, List<EncryptionType> encryptionTypes )
+ protected PaData[] getPreAuthEncryptedTimeStamp( KerberosPrincipal clientPrincipal, String passPhrase )
throws Exception
{
KerberosTime timeStamp = new KerberosTime();
- return getPreAuthEncryptedTimeStamp( clientPrincipal, passPhrase, timeStamp, encryptionTypes );
+ return getPreAuthEncryptedTimeStamp( clientPrincipal, passPhrase, timeStamp );
}
protected PaData[] getPreAuthEncryptedTimeStamp( KerberosPrincipal clientPrincipal,
- String passPhrase, KerberosTime timeStamp, List<EncryptionType> encryptionTypes ) throws Exception
+ String passPhrase, KerberosTime timeStamp ) throws Exception
{
PaData[] paData = new PaData[1];
PaEncTsEnc encryptedTimeStamp = new PaEncTsEnc( timeStamp, 0 );
- EncryptionKey clientKey = getEncryptionKey( clientPrincipal, passPhrase, encryptionTypes );
+ EncryptionKey clientKey = getEncryptionKey( clientPrincipal, passPhrase );
- EncryptedData encryptedData = lockBox.seal( clientKey, encryptedTimeStamp,
- KeyUsage.AS_REQ_PA_ENC_TIMESTAMP_WITH_CKEY );
+ EncryptedData encryptedData = lockBox.seal( clientKey, encryptedTimeStamp, KeyUsage.AS_REQ_PA_ENC_TIMESTAMP_WITH_CKEY );
ByteBuffer buffer = ByteBuffer.allocate( encryptedData.computeLength() );
byte[] encodedEncryptedData = encryptedData.encode( buffer ).array();
@@ -110,13 +109,11 @@ public abstract class AbstractAuthentica
* @param passPhrase
* @return The server's {@link EncryptionKey}.
*/
- protected EncryptionKey getEncryptionKey( KerberosPrincipal principal, String passPhrase, List<EncryptionType> encryptionTypes )
+ protected EncryptionKey getEncryptionKey( KerberosPrincipal principal, String passPhrase )
{
- EncryptionType encryptionType = encryptionTypes.get( 0 );
-
KerberosKey kerberosKey = new KerberosKey( principal, passPhrase.toCharArray(), "AES128" );
byte[] keyBytes = kerberosKey.getEncoded();
- EncryptionKey key = new EncryptionKey( encryptionType, keyBytes );
+ EncryptionKey key = new EncryptionKey( EncryptionType.AES128_CTS_HMAC_SHA1_96, keyBytes );
return key;
}
Modified: directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/AbstractTicketGrantingServiceTest.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/AbstractTicketGrantingServiceTest.java?rev=1443107&r1=1443106&r2=1443107&view=diff
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/AbstractTicketGrantingServiceTest.java (original)
+++ directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/AbstractTicketGrantingServiceTest.java Wed Feb 6 18:19:36 2013
@@ -123,7 +123,7 @@ public abstract class AbstractTicketGran
ticketFlags.setFlag( TicketFlag.RENEWABLE );
encTicketPart.setFlags( ticketFlags );
- EncryptionKey sessionKey = RandomKeyFactory.getRandomKey( EncryptionType.DES_CBC_MD5 );
+ EncryptionKey sessionKey = RandomKeyFactory.getRandomKey( EncryptionType.AES128_CTS_HMAC_SHA1_96 );
encTicketPart.setKey( sessionKey );
encTicketPart.setCName( new PrincipalName( clientPrincipal ) );
@@ -161,7 +161,7 @@ public abstract class AbstractTicketGran
ticketFlags.setFlag( TicketFlag.RENEWABLE );
encTicketPart.setFlags( ticketFlags );
- EncryptionKey sessionKey = RandomKeyFactory.getRandomKey( EncryptionType.DES_CBC_MD5 );
+ EncryptionKey sessionKey = RandomKeyFactory.getRandomKey( EncryptionType.AES128_CTS_HMAC_SHA1_96 );
encTicketPart.setKey( sessionKey );
encTicketPart.setCName( new PrincipalName( clientPrincipal ) );
Modified: directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/AuthenticationEncryptionTypeTest.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/AuthenticationEncryptionTypeTest.java?rev=1443107&r1=1443106&r2=1443107&view=diff
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/AuthenticationEncryptionTypeTest.java (original)
+++ directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/AuthenticationEncryptionTypeTest.java Wed Feb 6 18:19:36 2013
@@ -24,14 +24,13 @@ import static org.junit.Assert.assertEqu
import static org.junit.Assert.assertTrue;
import java.nio.ByteBuffer;
-import java.util.ArrayList;
import java.util.HashSet;
-import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.security.auth.kerberos.KerberosPrincipal;
+import org.apache.directory.server.kerberos.KerberosConfig;
import org.apache.directory.server.kerberos.kdc.KdcServer;
import org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler;
import org.apache.directory.server.kerberos.shared.crypto.encryption.KerberosKeyFactory;
@@ -64,7 +63,8 @@ import org.junit.Test;
*/
public class AuthenticationEncryptionTypeTest extends AbstractAuthenticationServiceTest
{
- private KdcServer config;
+ private KerberosConfig config;
+ private KdcServer kdcServer;
private PrincipalStore store;
private KerberosProtocolHandler handler;
private KrbDummySession session;
@@ -76,9 +76,10 @@ public class AuthenticationEncryptionTyp
@Before
public void setUp()
{
- config = new KdcServer();
+ kdcServer = new KdcServer();
+ config = kdcServer.getConfig();
store = new MapPrincipalStoreImpl();
- handler = new KerberosProtocolHandler( config, store );
+ handler = new KerberosProtocolHandler( kdcServer, store );
session = new KrbDummySession();
lockBox = new CipherTextHandler();
}
@@ -90,7 +91,7 @@ public class AuthenticationEncryptionTyp
@After
public void shutDown()
{
- config.stop();
+ kdcServer.stop();
}
@@ -100,7 +101,7 @@ public class AuthenticationEncryptionTyp
* @throws Exception
*/
@Test
- @Ignore("AbstractAuthenticationServiceTest.getEncryptionKey() always uses AES128_CTS_HMAC_SHA1_96")
+ @Ignore( "uses DES but the encryption key is generated in AbstractAuthenticationServiceTest always uses AES" )
public void testRequestDesCbcMd5() throws Exception
{
KdcReqBody kdcReqBody = new KdcReqBody();
@@ -108,7 +109,7 @@ public class AuthenticationEncryptionTyp
kdcReqBody.setSName( getPrincipalName( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" ) );
kdcReqBody.setRealm( "EXAMPLE.COM" );
- List<EncryptionType> encryptionTypes = new ArrayList<EncryptionType>();
+ Set<EncryptionType> encryptionTypes = new HashSet<EncryptionType>();
encryptionTypes.add( EncryptionType.DES_CBC_MD5 );
kdcReqBody.setEType( encryptionTypes );
@@ -121,7 +122,7 @@ public class AuthenticationEncryptionTyp
KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
String passPhrase = "secret";
- PaData[] paDatas = getPreAuthEncryptedTimeStamp( clientPrincipal, passPhrase, config.getEncryptionTypes() );
+ PaData[] paDatas = getPreAuthEncryptedTimeStamp( clientPrincipal, passPhrase );
KdcReq message = new AsReq();
message.setKdcReqBody( kdcReqBody );
@@ -158,7 +159,7 @@ public class AuthenticationEncryptionTyp
kdcReqBody.setSName( getPrincipalName( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" ) );
kdcReqBody.setRealm( "EXAMPLE.COM" );
- List<EncryptionType> encryptionTypes = new ArrayList<EncryptionType>();
+ Set<EncryptionType> encryptionTypes = new HashSet<EncryptionType>();
encryptionTypes.add( EncryptionType.AES128_CTS_HMAC_SHA1_96 );
kdcReqBody.setEType( encryptionTypes );
@@ -218,7 +219,7 @@ public class AuthenticationEncryptionTyp
kdcReqBody.setSName( getPrincipalName( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" ) );
kdcReqBody.setRealm( "EXAMPLE.COM" );
- List<EncryptionType> encryptionTypes = new ArrayList<EncryptionType>();
+ Set<EncryptionType> encryptionTypes = new HashSet<EncryptionType>();
encryptionTypes.add( EncryptionType.AES128_CTS_HMAC_SHA1_96 );
kdcReqBody.setEType( encryptionTypes );
@@ -278,8 +279,8 @@ public class AuthenticationEncryptionTyp
kdcReqBody.setSName( getPrincipalName( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" ) );
kdcReqBody.setRealm( "EXAMPLE.COM" );
- List<EncryptionType> requestedEncryptionTypes = new ArrayList<EncryptionType>();
- requestedEncryptionTypes.add( EncryptionType.RC4_MD4 );
+ Set<EncryptionType> requestedEncryptionTypes = new HashSet<EncryptionType>();
+ requestedEncryptionTypes.add( EncryptionType.RC4_HMAC );
kdcReqBody.setEType( requestedEncryptionTypes );
kdcReqBody.setNonce( random.nextInt() );
@@ -291,7 +292,7 @@ public class AuthenticationEncryptionTyp
KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
String passPhrase = "secret";
- PaData[] paDatas = getPreAuthEncryptedTimeStamp( clientPrincipal, passPhrase, config.getEncryptionTypes() );
+ PaData[] paDatas = getPreAuthEncryptedTimeStamp( clientPrincipal, passPhrase );
KdcReq message = new AsReq();
message.setKdcReqBody( kdcReqBody );
@@ -317,8 +318,7 @@ public class AuthenticationEncryptionTyp
PaEncTsEnc encryptedTimeStamp = new PaEncTsEnc( timeStamp, 0 );
- EncryptedData encryptedData = lockBox.seal( clientKey, encryptedTimeStamp,
- KeyUsage.AS_REQ_PA_ENC_TIMESTAMP_WITH_CKEY );
+ EncryptedData encryptedData = lockBox.seal( clientKey, encryptedTimeStamp, KeyUsage.AS_REQ_PA_ENC_TIMESTAMP_WITH_CKEY );
ByteBuffer buffer = ByteBuffer.allocate( encryptedData.computeLength() );
byte[] encodedEncryptedData = encryptedData.encode( buffer ).array();
Modified: directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/AuthenticationPolicyTest.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/AuthenticationPolicyTest.java?rev=1443107&r1=1443106&r2=1443107&view=diff
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/AuthenticationPolicyTest.java (original)
+++ directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/AuthenticationPolicyTest.java Wed Feb 6 18:19:36 2013
@@ -22,6 +22,7 @@ package org.apache.directory.server.kerb
import static org.junit.Assert.assertEquals;
+import org.apache.directory.server.kerberos.KerberosConfig;
import org.apache.directory.server.kerberos.kdc.KdcServer;
import org.apache.directory.server.kerberos.shared.store.PrincipalStore;
import org.apache.directory.shared.kerberos.KerberosTime;
@@ -43,7 +44,8 @@ import org.junit.Test;
*/
public class AuthenticationPolicyTest extends AbstractAuthenticationServiceTest
{
- private KdcServer config;
+ private KerberosConfig config;
+ private KdcServer kdcServer;
private PrincipalStore store;
private KerberosProtocolHandler handler;
private KrbDummySession session;
@@ -55,9 +57,10 @@ public class AuthenticationPolicyTest ex
@Before
public void setUp()
{
- config = new KdcServer();
+ kdcServer = new KdcServer();
+ config = kdcServer.getConfig();
store = new MapPrincipalStoreImpl();
- handler = new KerberosProtocolHandler( config, store );
+ handler = new KerberosProtocolHandler( kdcServer, store );
session = new KrbDummySession();
}
@@ -68,7 +71,7 @@ public class AuthenticationPolicyTest ex
@After
public void shutDown()
{
- config.stop();
+ kdcServer.stop();
}