You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by er...@apache.org on 2005/09/14 23:35:48 UTC
svn commit: r280945 - in
/directory/shared/kerberos/trunk/common/src/java/org/apache/kerberos:
crypto/encryption/EncryptionEngine.java service/LockBox.java
service/VerifyAuthHeader.java
Author: erodriguez
Date: Wed Sep 14 14:35:44 2005
New Revision: 280945
URL: http://svn.apache.org/viewcvs?rev=280945&view=rev
Log:
Update to kerberos-common to address DIRKERBEROS-4:
o Added a Hashed Adapter encapsulating ASN.1 and cipher processing to perform one-step seal() and unseal() operations. A seal() operation performs an encode and an encrypt, while an unseal() operation performs a decrypt and a decode.
o Removed some exceptions thrown by EncryptionEngine that are now encapsulated in the hashed adapter.
o Updated VerifyAuthHeader to use the new unseal() method with Tickets and Authenticators.
http://issues.apache.org/jira/browse/DIRKERBEROS-4
Added:
directory/shared/kerberos/trunk/common/src/java/org/apache/kerberos/service/LockBox.java (with props)
Modified:
directory/shared/kerberos/trunk/common/src/java/org/apache/kerberos/crypto/encryption/EncryptionEngine.java
directory/shared/kerberos/trunk/common/src/java/org/apache/kerberos/service/VerifyAuthHeader.java
Modified: directory/shared/kerberos/trunk/common/src/java/org/apache/kerberos/crypto/encryption/EncryptionEngine.java
URL: http://svn.apache.org/viewcvs/directory/shared/kerberos/trunk/common/src/java/org/apache/kerberos/crypto/encryption/EncryptionEngine.java?rev=280945&r1=280944&r2=280945&view=diff
==============================================================================
--- directory/shared/kerberos/trunk/common/src/java/org/apache/kerberos/crypto/encryption/EncryptionEngine.java (original)
+++ directory/shared/kerberos/trunk/common/src/java/org/apache/kerberos/crypto/encryption/EncryptionEngine.java Wed Sep 14 14:35:44 2005
@@ -20,7 +20,6 @@
import org.apache.kerberos.crypto.checksum.ChecksumEngine;
import org.apache.kerberos.crypto.checksum.ChecksumType;
-import org.apache.kerberos.exceptions.KerberosException;
import org.apache.kerberos.messages.value.EncryptedData;
import org.apache.kerberos.messages.value.EncryptionKey;
import org.bouncycastle.crypto.BlockCipher;
@@ -43,7 +42,6 @@
public abstract int keySize();
public byte[] getDecryptedData( EncryptionKey key, EncryptedData data )
- throws KerberosException
{
byte[] decryptedData = decrypt( data.getCipherText(), key.getKeyValue() );
@@ -51,7 +49,6 @@
}
public EncryptedData getEncryptedData( EncryptionKey key, byte[] plainText )
- throws KerberosException
{
byte[] conFounder = getRandomBytes( confounderSize() );
byte[] zeroedChecksum = new byte[ checksumSize() ];
Added: directory/shared/kerberos/trunk/common/src/java/org/apache/kerberos/service/LockBox.java
URL: http://svn.apache.org/viewcvs/directory/shared/kerberos/trunk/common/src/java/org/apache/kerberos/service/LockBox.java?rev=280945&view=auto
==============================================================================
--- directory/shared/kerberos/trunk/common/src/java/org/apache/kerberos/service/LockBox.java (added)
+++ directory/shared/kerberos/trunk/common/src/java/org/apache/kerberos/service/LockBox.java Wed Sep 14 14:35:44 2005
@@ -0,0 +1,235 @@
+/*
+ * Copyright 2005 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package org.apache.kerberos.service;
+
+import java.io.IOException;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+
+import org.apache.kerberos.crypto.encryption.Des3CbcMd5Encryption;
+import org.apache.kerberos.crypto.encryption.Des3CbcSha1Encryption;
+import org.apache.kerberos.crypto.encryption.DesCbcCrcEncryption;
+import org.apache.kerberos.crypto.encryption.DesCbcMd4Encryption;
+import org.apache.kerberos.crypto.encryption.DesCbcMd5Encryption;
+import org.apache.kerberos.crypto.encryption.EncryptionEngine;
+import org.apache.kerberos.crypto.encryption.EncryptionType;
+import org.apache.kerberos.exceptions.ErrorType;
+import org.apache.kerberos.exceptions.KerberosException;
+import org.apache.kerberos.io.decoder.AuthenticatorDecoder;
+import org.apache.kerberos.io.decoder.AuthorizationDataDecoder;
+import org.apache.kerberos.io.decoder.Decoder;
+import org.apache.kerberos.io.decoder.DecoderFactory;
+import org.apache.kerberos.io.decoder.EncTicketPartDecoder;
+import org.apache.kerberos.io.decoder.EncryptedTimestampDecoder;
+import org.apache.kerberos.io.encoder.EncAsRepPartEncoder;
+import org.apache.kerberos.io.encoder.EncTgsRepPartEncoder;
+import org.apache.kerberos.io.encoder.EncTicketPartEncoder;
+import org.apache.kerberos.io.encoder.Encoder;
+import org.apache.kerberos.io.encoder.EncoderFactory;
+import org.apache.kerberos.messages.AuthenticationReply;
+import org.apache.kerberos.messages.Encodable;
+import org.apache.kerberos.messages.TicketGrantReply;
+import org.apache.kerberos.messages.components.Authenticator;
+import org.apache.kerberos.messages.components.EncTicketPart;
+import org.apache.kerberos.messages.value.AuthorizationData;
+import org.apache.kerberos.messages.value.EncryptedData;
+import org.apache.kerberos.messages.value.EncryptedTimeStamp;
+import org.apache.kerberos.messages.value.EncryptionKey;
+
+/**
+ * A Hashed Adapter encapsulating ASN.1 encoders and decoders and cipher text engines to
+ * perform seal() and unseal() operations. A seal() operation performs an encode and an
+ * encrypt, while an unseal() operation performs a decrypt and a decode.
+ */
+public class LockBox
+{
+ /** a map of the default encodable class names to the encoder class names */
+ private static final Map DEFAULT_ENCODERS;
+ /** a map of the default encodable class names to the decoder class names */
+ private static final Map DEFAULT_DECODERS;
+ /** a map of the default encryption types to the encryption engine class names */
+ private static final Map DEFAULT_CIPHERS;
+
+ static
+ {
+ Map map = new HashMap();
+
+ map.put( EncTicketPart.class, EncTicketPartEncoder.class );
+ map.put( AuthenticationReply.class, EncAsRepPartEncoder.class );
+ map.put( TicketGrantReply.class, EncTgsRepPartEncoder.class );
+
+ DEFAULT_ENCODERS = Collections.unmodifiableMap( map );
+ }
+
+ static
+ {
+ Map map = new HashMap();
+
+ map.put( EncTicketPart.class, EncTicketPartDecoder.class );
+ map.put( Authenticator.class, AuthenticatorDecoder.class );
+ map.put( EncryptedTimeStamp.class, EncryptedTimestampDecoder.class );
+ map.put( AuthorizationData.class, AuthorizationDataDecoder.class );
+
+ DEFAULT_DECODERS = Collections.unmodifiableMap( map );
+ }
+
+ static
+ {
+ Map map = new HashMap();
+
+ map.put( EncryptionType.DES_CBC_CRC, DesCbcCrcEncryption.class );
+ map.put( EncryptionType.DES_CBC_MD4, DesCbcMd4Encryption.class );
+ map.put( EncryptionType.DES_CBC_MD5, DesCbcMd5Encryption.class );
+ map.put( EncryptionType.DES3_CBC_MD5, Des3CbcMd5Encryption.class );
+ map.put( EncryptionType.DES3_CBC_SHA1, Des3CbcSha1Encryption.class );
+
+ DEFAULT_CIPHERS = Collections.unmodifiableMap( map );
+ }
+
+ public EncryptedData seal( EncryptionKey key, Encodable encodable ) throws KerberosException
+ {
+ try
+ {
+ return encrypt( key, encode( encodable ) );
+ }
+ catch ( IOException ioe )
+ {
+ throw new KerberosException( ErrorType.KDC_ERR_ETYPE_NOSUPP );
+ }
+ catch ( ClassCastException cce )
+ {
+ throw new KerberosException( ErrorType.KRB_AP_ERR_BAD_INTEGRITY );
+ }
+ }
+
+ public Encodable unseal( Class hint, EncryptionKey key, EncryptedData data ) throws KerberosException
+ {
+ try
+ {
+ return decode( hint, decrypt( key, data ) );
+ }
+ catch ( IOException ioe )
+ {
+ throw new KerberosException( ErrorType.KDC_ERR_ETYPE_NOSUPP );
+ }
+ catch ( ClassCastException cce )
+ {
+ throw new KerberosException( ErrorType.KRB_AP_ERR_BAD_INTEGRITY );
+ }
+ }
+
+ private EncryptedData encrypt( EncryptionKey key, byte[] plainText ) throws IOException
+ {
+ EncryptionEngine engine = getEngine( key );
+
+ return engine.getEncryptedData( key, plainText );
+ }
+
+ private byte[] decrypt( EncryptionKey key, EncryptedData data ) throws IOException
+ {
+ EncryptionEngine engine = getEngine( key );
+
+ return engine.getDecryptedData( key, data );
+ }
+
+ private byte[] encode( Encodable encodable ) throws IOException
+ {
+ Class encodableClass = encodable.getClass();
+
+ Class clazz = (Class) DEFAULT_ENCODERS.get( encodableClass );
+
+ if ( clazz == null )
+ {
+ throw new IOException( "Encoder unavailable for " + encodableClass );
+ }
+
+ EncoderFactory factory = null;
+
+ try
+ {
+ factory = (EncoderFactory) clazz.newInstance();
+ }
+ catch ( IllegalAccessException iae )
+ {
+ throw new IOException( "Error accessing encoder for " + encodableClass );
+ }
+ catch ( InstantiationException ie )
+ {
+ throw new IOException( "Error instantiating encoder for " + encodableClass );
+ }
+
+ Encoder encoder = factory.getEncoder();
+
+ return encoder.encode( encodable );
+ }
+
+ private Encodable decode( Class encodable, byte[] plainText ) throws IOException
+ {
+ Class clazz = (Class) DEFAULT_DECODERS.get( encodable );
+
+ if ( clazz == null )
+ {
+ throw new IOException( "Decoder unavailable for " + encodable );
+ }
+
+ DecoderFactory factory = null;
+
+ try
+ {
+ factory = (DecoderFactory) clazz.newInstance();
+ }
+ catch ( IllegalAccessException iae )
+ {
+ throw new IOException( "Error accessing decoder for " + encodable );
+ }
+ catch ( InstantiationException ie )
+ {
+ throw new IOException( "Error instantiating decoder for " + encodable );
+ }
+
+ Decoder decoder = factory.getDecoder();
+
+ return decoder.decode( plainText );
+ }
+
+ private EncryptionEngine getEngine( EncryptionKey key ) throws IOException
+ {
+ EncryptionType encryptionType = key.getKeyType();
+
+ Class clazz = (Class) DEFAULT_CIPHERS.get( encryptionType );
+
+ if ( clazz == null )
+ {
+ throw new IOException( "Unsupported encryption type " + encryptionType );
+ }
+
+ try
+ {
+ return (EncryptionEngine) clazz.newInstance();
+ }
+ catch ( IllegalAccessException iae )
+ {
+ throw new IOException( "Error accessing cipher for " + encryptionType );
+ }
+ catch ( InstantiationException ie )
+ {
+ throw new IOException( "Error instantiating cipher for " + encryptionType );
+ }
+ }
+}
Propchange: directory/shared/kerberos/trunk/common/src/java/org/apache/kerberos/service/LockBox.java
------------------------------------------------------------------------------
svn:eol-style = native
Modified: directory/shared/kerberos/trunk/common/src/java/org/apache/kerberos/service/VerifyAuthHeader.java
URL: http://svn.apache.org/viewcvs/directory/shared/kerberos/trunk/common/src/java/org/apache/kerberos/service/VerifyAuthHeader.java?rev=280945&r1=280944&r2=280945&view=diff
==============================================================================
--- directory/shared/kerberos/trunk/common/src/java/org/apache/kerberos/service/VerifyAuthHeader.java (original)
+++ directory/shared/kerberos/trunk/common/src/java/org/apache/kerberos/service/VerifyAuthHeader.java Wed Sep 14 14:35:44 2005
@@ -16,16 +16,11 @@
*/
package org.apache.kerberos.service;
-import java.io.IOException;
import java.net.InetAddress;
import org.apache.kerberos.chain.impl.CommandBase;
-import org.apache.kerberos.crypto.encryption.EncryptionEngine;
-import org.apache.kerberos.crypto.encryption.EncryptionEngineFactory;
import org.apache.kerberos.exceptions.ErrorType;
import org.apache.kerberos.exceptions.KerberosException;
-import org.apache.kerberos.io.decoder.AuthenticatorDecoder;
-import org.apache.kerberos.io.decoder.EncTicketPartDecoder;
import org.apache.kerberos.messages.ApplicationRequest;
import org.apache.kerberos.messages.MessageType;
import org.apache.kerberos.messages.components.Authenticator;
@@ -45,8 +40,8 @@
{
// RFC 1510 A.10. KRB_AP_REQ verification
public Authenticator verifyAuthHeader( ApplicationRequest authHeader, Ticket ticket, EncryptionKey serverKey,
- long clockSkew, ReplayCache replayCache, boolean emptyAddressesAllowed, InetAddress clientAddress )
- throws KerberosException, IOException
+ long clockSkew, ReplayCache replayCache, boolean emptyAddressesAllowed, InetAddress clientAddress, LockBox lockBox )
+ throws KerberosException
{
if ( authHeader.getProtocolVersionNumber() != 5 )
{
@@ -85,35 +80,10 @@
throw new KerberosException( ErrorType.KRB_AP_ERR_NOKEY );
}
- try
- {
- EncryptionEngine engine = EncryptionEngineFactory.getEncryptionEngineFor( ticketKey );
-
- byte[] decTicketPart = engine.getDecryptedData( ticketKey, ticket.getEncPart() );
-
- EncTicketPartDecoder ticketPartDecoder = new EncTicketPartDecoder();
- EncTicketPart encPart = ticketPartDecoder.decode( decTicketPart );
- ticket.setEncTicketPart( encPart );
- }
- catch ( KerberosException ke )
- {
- throw new KerberosException( ErrorType.KRB_AP_ERR_BAD_INTEGRITY );
- }
+ EncTicketPart encPart = (EncTicketPart) lockBox.unseal( EncTicketPart.class, ticketKey, ticket.getEncPart() );
+ ticket.setEncTicketPart( encPart );
- Authenticator authenticator;
-
- try
- {
- EncryptionEngine engine = EncryptionEngineFactory.getEncryptionEngineFor( ticket.getSessionKey() );
-
- byte[] decAuthenticator = engine.getDecryptedData( ticket.getSessionKey(), authHeader.getEncPart() );
- AuthenticatorDecoder authDecoder = new AuthenticatorDecoder();
- authenticator = authDecoder.decode( decAuthenticator );
- }
- catch ( KerberosException ke )
- {
- throw new KerberosException( ErrorType.KRB_AP_ERR_BAD_INTEGRITY );
- }
+ Authenticator authenticator = (Authenticator) lockBox.unseal( Authenticator.class, ticket.getSessionKey(), authHeader.getEncPart() );
if ( !authenticator.getClientPrincipal().getName().equals( ticket.getClientPrincipal().getName() ) )
{