You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by er...@apache.org on 2004/10/31 07:27:51 UTC
svn commit: rev 56123 - in incubator/directory/kerberos/trunk/source/main/org/apache/kerberos: crypto kdc kdc/server/udp kdc/store
Author: erodriguez
Date: Sat Oct 30 23:27:50 2004
New Revision: 56123
Modified:
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/crypto/CryptoService.java
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/AuthenticationService.java
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/KdcDispatcher.java
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/TicketGrantingService.java
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/server/udp/Main.java
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/store/LdapStore.java
Log:
Moved all service dependencies to use constructor injectian and began to centralize all configuration parameters.
Modified: incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/crypto/CryptoService.java
==============================================================================
--- incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/crypto/CryptoService.java (original)
+++ incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/crypto/CryptoService.java Sat Oct 30 23:27:50 2004
@@ -25,12 +25,16 @@
import java.util.*;
public class CryptoService {
-
+
private static final Map _encryptionEngines = new HashMap();
private static final Map _checksumEngines = new HashMap();
- // TODO - these maps are classic configuration and, as such, probably belong elsewhere
- public CryptoService() {
+ private KdcConfiguration _config;
+
+ public CryptoService(KdcConfiguration config) {
+
+ _config = config;
+
_encryptionEngines.put(EncryptionType.NULL, new NullEncryption());
_encryptionEngines.put(EncryptionType.DES_CBC_CRC, new DesCbcCrcEncryption());
_encryptionEngines.put(EncryptionType.DES_CBC_MD4, new DesCbcMd4Encryption());
@@ -56,18 +60,21 @@
return (EncryptionEngine)_encryptionEngines.get(type);
}
- public static EncryptionType getBestEncryptionType(EncryptionType[] requestedTypes) {
+ public EncryptionType getBestEncryptionType(EncryptionType[] requestedTypes)
+ throws KerberosException {
+
+ EncryptionType[] encryptionTypes = _config.getEncryptionTypes();
for (int i = 0; i < requestedTypes.length; i++) {
- for (int j = 0; j < LocalConfig.DEFAULT_ETYPE_LIST.length; j++) {
- if (requestedTypes[i] == LocalConfig.DEFAULT_ETYPE_LIST[j])
- return LocalConfig.DEFAULT_ETYPE_LIST[j];
+ for (int j = 0; j < encryptionTypes.length; j++) {
+ if (requestedTypes[i] == encryptionTypes[j])
+ return encryptionTypes[j];
}
}
- return LocalConfig.DEFAULT_ETYPE;
+ throw KerberosException.KDC_ERR_ETYPE_NOSUPP;
}
- public static EncryptionKey getNewSessionKey() {
+ public EncryptionKey getNewSessionKey() {
byte[] confounder = Confounder.bytes(8);
DesStringToKey subSessionKey = new DesStringToKey(new String(confounder));
return new EncryptionKey(EncryptionType.DES_CBC_MD5, subSessionKey.getKey());
Modified: incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/AuthenticationService.java
==============================================================================
--- incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/AuthenticationService.java (original)
+++ incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/AuthenticationService.java Sat Oct 30 23:27:50 2004
@@ -27,12 +27,18 @@
public class AuthenticationService {
- private PrincipalStore _store;
- private PrincipalStore _bootstrap;
-
- public AuthenticationService(PrincipalStore store, PrincipalStore bootstrap) {
- _store = store;
- _bootstrap = bootstrap;
+ private PrincipalStore _store;
+ private PrincipalStore _bootstrap;
+ private CryptoService _cryptoService;
+ private KdcConfiguration _config;
+
+ public AuthenticationService(PrincipalStore store, PrincipalStore bootstrap,
+ CryptoService cryptoService, KdcConfiguration config) {
+
+ _store = store;
+ _bootstrap = bootstrap;
+ _cryptoService = cryptoService;
+ _config = config;
}
public AuthenticationReply getReplyFor(KdcRequest request) throws KerberosException {
@@ -133,7 +139,7 @@
request.getKdcOptions().get(KdcOptions.ENC_TKT_IN_SKEY))
throw KerberosException.KDC_ERR_BADOPTION;
- newTicketBody.setSessionKey(CryptoService.getNewSessionKey());
+ newTicketBody.setSessionKey(_cryptoService.getNewSessionKey());
newTicketBody.setClientPrincipal(request.getClientPrincipal());
newTicketBody.setTransitedEncoding(new TransitedEncoding());
@@ -142,7 +148,7 @@
if (request.getKdcOptions().get(KdcOptions.POSTDATED)) {
// TODO - possibly allow req.from range
- if (!LocalConfig.KDC_POSTDATE_ALLOWED)
+ if (!_config.isPostdateAllowed())
throw KerberosException.KDC_ERR_POLICY;
newTicketBody.setFlag(TicketFlags.INVALID);
newTicketBody.setStartTime(request.getFrom());
@@ -159,7 +165,7 @@
new_tkt.starttime+server.max_life,
new_tkt.starttime+max_life_for_realm);
*/
- long endTime = Math.min(now.getTime() + LocalConfig.DEFAULT_MAXIMUM_TICKET_LIFETIME, till);
+ long endTime = Math.min(now.getTime() + _config.getMaximumTicketLifetime(), till);
KerberosTime kerberosEndTime = new KerberosTime(endTime);
newTicketBody.setEndTime(kerberosEndTime);
@@ -189,7 +195,7 @@
if (request.getKdcOptions().get(KdcOptions.RENEWABLE)) {
newTicketBody.setFlag(TicketFlags.RENEWABLE);
long renewTill = Math.min(request.getFrom().getTime()
- + LocalConfig.DEFAULT_MAXIMUM_RENEWABLE_LIFETIME, tempRtime);
+ + _config.getMaximumRenewableLifetime(), tempRtime);
newTicketBody.setRenewTill(new KerberosTime(renewTill));
}
@@ -214,9 +220,7 @@
try {
byte[] plainText = encoder.encode(ticketPart);
- CryptoService enc = new CryptoService();
-
- encryptedTicketPart = enc.getEncryptedData(serverKey, plainText);
+ encryptedTicketPart = _cryptoService.getEncryptedData(serverKey, plainText);
} catch (Exception e) {
e.printStackTrace();
@@ -230,9 +234,7 @@
try {
byte[] plainText = encoder.encode(reply);
- CryptoService enc = new CryptoService();
-
- EncryptedData cipherText = enc.getEncryptedData(clientKey, plainText);
+ EncryptedData cipherText = _cryptoService.getEncryptedData(clientKey, plainText);
reply.setEncPart(cipherText);
Modified: incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/KdcDispatcher.java
==============================================================================
--- incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/KdcDispatcher.java (original)
+++ incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/KdcDispatcher.java Sat Oct 30 23:27:50 2004
@@ -16,6 +16,7 @@
*/
package org.apache.kerberos.kdc;
+import org.apache.kerberos.crypto.*;
import org.apache.kerberos.io.decoder.*;
import org.apache.kerberos.io.encoder.*;
import org.apache.kerberos.kdc.replay.*;
@@ -31,21 +32,26 @@
private static final byte TGS_REQ = (byte) 0x6C;
private static final byte TGS_REP = (byte) 0x6D;
- private static final ReplayCache replay = new InMemoryReplayCache();
+ private ReplayCache _replay = new InMemoryReplayCache();
- private static final KdcRequestDecoder decoder = new KdcRequestDecoder();
- private static final KdcReplyEncoder encoder = new KdcReplyEncoder();
+ private KdcRequestDecoder _decoder = new KdcRequestDecoder();
+ private KdcReplyEncoder _encoder = new KdcReplyEncoder();
- private static final PrincipalStore bootstrap = new KdcBootstrapStore();
+ private PrincipalStore _bootstrap = new KdcBootstrapStore();
+ private CryptoService _cryptoService;
+ private KdcConfiguration _config;
+ private PrincipalStore _store;
private AuthenticationService _authService;
private TicketGrantingService _tgsService;
- private PrincipalStore _store;
- public KdcDispatcher(PrincipalStore store) {
+ public KdcDispatcher(KdcConfiguration config, PrincipalStore store) {
+ _config = config;
_store = store;
- _authService = new AuthenticationService(_store, bootstrap);
- _tgsService = new TicketGrantingService(_store, bootstrap, replay);
+
+ _cryptoService = new CryptoService(_config);
+ _authService = new AuthenticationService(_store, _bootstrap, _cryptoService, _config);
+ _tgsService = new TicketGrantingService(_store, _bootstrap, _cryptoService, _config, _replay);
}
public byte[] dispatch(byte[] requestBytes) throws IOException, KerberosException {
@@ -53,7 +59,7 @@
ByteArrayInputStream input = new ByteArrayInputStream(requestBytes);
ByteArrayOutputStream output = new ByteArrayOutputStream();
- KdcRequest request = decoder.decode(input);
+ KdcRequest request = _decoder.decode(input);
byte messageType = requestBytes[0];
@@ -63,7 +69,7 @@
// generate the reply
AuthenticationReply authReply = _authService.getReplyFor(request);
// ASN1 encode the reply
- encoder.encode(authReply, output);
+ _encoder.encode(authReply, output);
break;
@@ -71,7 +77,7 @@
// generate the reply
TicketGrantReply ticketReply = _tgsService.getReplyFor(request);
// ASN1 encode the reply
- encoder.encode(ticketReply, output);
+ _encoder.encode(ticketReply, output);
break;
Modified: incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/TicketGrantingService.java
==============================================================================
--- incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/TicketGrantingService.java (original)
+++ incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/TicketGrantingService.java Sat Oct 30 23:27:50 2004
@@ -37,14 +37,20 @@
*/
public class TicketGrantingService {
- private PrincipalStore _store;
- private PrincipalStore _bootstrap;
- private ReplayCache _replayCache;
-
- public TicketGrantingService(PrincipalStore store, PrincipalStore bootstrap, ReplayCache replay) {
- _store = store;
- _bootstrap = bootstrap;
- _replayCache = replay;
+ private PrincipalStore _store;
+ private PrincipalStore _bootstrap;
+ private CryptoService _cryptoService;
+ private KdcConfiguration _config;
+ private ReplayCache _replayCache;
+
+ public TicketGrantingService(PrincipalStore store, PrincipalStore bootstrap,
+ CryptoService cryptoService, KdcConfiguration config, ReplayCache replay) {
+
+ _store = store;
+ _bootstrap = bootstrap;
+ _cryptoService = cryptoService;
+ _config = config;
+ _replayCache = replay;
}
public TicketGrantReply getReplyFor(KdcRequest request) throws KerberosException, IOException {
@@ -61,9 +67,9 @@
verifyBodyChecksum(authenticator.getChecksum(), request);
- EncryptionKey sessionKey = CryptoService.getNewSessionKey();
+ EncryptionKey sessionKey = _cryptoService.getNewSessionKey();
- EncryptionType eType = CryptoService.getBestEncryptionType(request.getEType());
+ EncryptionType eType = _cryptoService.getBestEncryptionType(request.getEType());
Ticket newTicket = getNewTicket(request, tgt, sessionKey, authenticator);
@@ -131,10 +137,8 @@
throw KerberosException.KRB_AP_ERR_NOKEY;
}
- CryptoService enc = new CryptoService();
-
try {
- byte[] decTicketPart = enc.decrypt(serverKey, tgt.getEncPart());
+ byte[] decTicketPart = _cryptoService.decrypt(serverKey, tgt.getEncPart());
EncTicketPartDecoder ticketPartDecoder = new EncTicketPartDecoder();
EncTicketPart encPart = ticketPartDecoder.decode(decTicketPart);
@@ -146,7 +150,7 @@
Authenticator authenticator;
try {
- byte[] decAuthenticator = enc.decrypt(tgt.getSessionKey(), authHeader.getEncPart());
+ byte[] decAuthenticator = _cryptoService.decrypt(tgt.getSessionKey(), authHeader.getEncPart());
AuthenticatorDecoder authDecoder = new AuthenticatorDecoder();
authenticator = authDecoder.decode(decAuthenticator);
} catch (KerberosException ke) {
@@ -173,10 +177,10 @@
_replayCache.save(authenticator.getClientTime(), authenticator.getClientPrincipal());
- if (!authenticator.getClientTime().isInClockSkew())
+ if (!authenticator.getClientTime().isInClockSkew(_config.getClockSkew()))
throw KerberosException.KRB_AP_ERR_SKEW;
- if (tgt.getStartTime() != null && !tgt.getStartTime().isInClockSkew() ||
+ if (tgt.getStartTime() != null && !tgt.getStartTime().isInClockSkew(_config.getClockSkew()) ||
tgt.getFlag(TicketFlags.INVALID))
// it hasn't yet become valid
throw KerberosException.KRB_AP_ERR_TKT_NYV;
@@ -200,7 +204,7 @@
throws KerberosException {
Ticket tgt = authHeader.getTicket();
- if (!tgt.getRealm().toString().equals(LocalConfig.KDC_PRIMARY_REALM) &&
+ if (!tgt.getRealm().toString().equals(_config.getPrimaryRealm()) &&
!tgt.getServerPrincipal().equals(request.getServerPrincipal()))
throw KerberosException.KRB_AP_ERR_NOT_US;
}
@@ -351,7 +355,7 @@
newTicketBody.setFlag(TicketFlags.POSTDATED);
newTicketBody.setFlag(TicketFlags.INVALID);
- if (!LocalConfig.KDC_POSTDATE_ALLOWED)
+ if (!_config.isPostdateAllowed())
throw KerberosException.KDC_ERR_POLICY;
newTicketBody.setStartTime(request.getFrom());
@@ -425,7 +429,7 @@
*/
List minimizer = new ArrayList();
minimizer.add(till);
- minimizer.add(new KerberosTime(now.getTime() + LocalConfig.KDC_MAXIMUM_TICKET_LIFETIME));
+ minimizer.add(new KerberosTime(now.getTime() + _config.getMaximumTicketLifetime()));
minimizer.add(tgt.getEndTime());
KerberosTime minTime = (KerberosTime)Collections.min(minimizer);
newTicketBody.setEndTime(minTime);
@@ -461,7 +465,7 @@
// TODO - client and server configurable; requires store
List minimizer = new ArrayList();
minimizer.add(rtime);
- minimizer.add(new KerberosTime(now.getTime() + LocalConfig.DEFAULT_MAXIMUM_RENEWABLE_LIFETIME));
+ minimizer.add(new KerberosTime(now.getTime() + _config.getMaximumRenewableLifetime()));
minimizer.add(tgt.getRenewTill());
newTicketBody.setRenewTill((KerberosTime)Collections.min(minimizer));
}
@@ -474,8 +478,7 @@
if (request.getEncAuthorizationData() != null) {
try {
- CryptoService enc = new CryptoService();
- byte[] decryptedAuthData = enc.decrypt(authHeader.getSubSessionKey(),
+ byte[] decryptedAuthData = _cryptoService.decrypt(authHeader.getSubSessionKey(),
request.getEncAuthorizationData());
AuthorizationDataDecoder decoder = new AuthorizationDataDecoder();
authData = decoder.decode(decryptedAuthData);
@@ -522,8 +525,6 @@
throw KerberosException.KRB_ERR_GENERIC;
}
- CryptoService enc = new CryptoService();
-
if (request.getOption(KdcOptions.ENC_TKT_IN_SKEY)) {
/*
if (server not specified) then
@@ -539,7 +540,7 @@
} else {
// encrypt with serverKey
}
- return enc.getEncryptedData(serverKey, encodedTicket);
+ return _cryptoService.getEncryptedData(serverKey, encodedTicket);
}
// TODO - support multiple encryption types, this is hardwired for DES_CBC_MD5
@@ -548,9 +549,7 @@
try {
byte[] plainText = encoder.encode(reply);
- CryptoService enc = new CryptoService();
-
- EncryptedData cipherText = enc.getEncryptedData(key, plainText);
+ EncryptedData cipherText = _cryptoService.getEncryptedData(key, plainText);
reply.setEncPart(cipherText);
Modified: incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/server/udp/Main.java
==============================================================================
--- incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/server/udp/Main.java (original)
+++ incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/server/udp/Main.java Sat Oct 30 23:27:50 2004
@@ -24,11 +24,9 @@
public class Main {
- public static final int DEFAULT_PORT = 88;
- public static final int BUFFER_SIZE = 1024;
-
- private static final PrincipalStore ldap = new LdapStore();
- private static final KdcDispatcher kdc = new KdcDispatcher(ldap);
+ private static final KdcConfiguration config = new KdcConfiguration();
+ private static final PrincipalStore ldap = new LdapStore(config);
+ private static final KdcDispatcher kdc = new KdcDispatcher(config, ldap);
public static void main(String[] args) {
Main m = new Main();
@@ -36,13 +34,16 @@
}
private void go() {
+
+ initConfig();
+ initStore();
+
DatagramSocket socket = null;
try {
- socket = new DatagramSocket(DEFAULT_PORT);
- initStore();
+ socket = new DatagramSocket(config.getDefaultPort());
while (true) {
- byte[] requestBytes = new byte[BUFFER_SIZE];
+ byte[] requestBytes = new byte[config.getBufferSize()];
DatagramPacket packet = new DatagramPacket(requestBytes, requestBytes.length);
socket.receive(packet);
@@ -56,6 +57,10 @@
if (socket != null)
socket.close();
}
+ }
+
+ private void initConfig() {
+ // TODO - implement
}
private void initStore() {
Modified: incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/store/LdapStore.java
==============================================================================
--- incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/store/LdapStore.java (original)
+++ incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/store/LdapStore.java Sat Oct 30 23:27:50 2004
@@ -20,7 +20,6 @@
import org.apache.kerberos.kdc.jaas.*;
import java.security.*;
-import java.util.*;
import javax.naming.*;
import javax.naming.directory.*;
@@ -42,27 +41,34 @@
public static final String PRINCIPAL_REALM = "krb5PrincipalRealm";
public static final String REALM_NAME = "krb5RealmName";
- private Subject _subject;
+ private KdcConfiguration _config;
+ private Subject _subject;
+
+ public LdapStore(KdcConfiguration config) {
+ _config = config;
+ }
public void init() {
if (_subject == null) {
- KdcSubject subjectLogin = new KdcSubjectLogin(LocalConfig.KDC_PRINCIPAL,
- LocalConfig.KDC_PASSPHRASE);
+ KdcSubject subjectLogin = new KdcSubjectLogin(_config.getKdcPrincipal(),
+ _config.getKdcPassPhrase());
_subject = subjectLogin.getSubject();
}
}
public PrincipalStoreEntry getEntry(KerberosPrincipal principal) {
- return (PrincipalStoreEntry)Subject.doAs(_subject, new JaasLdapLookupAction(principal));
+ return (PrincipalStoreEntry)Subject.doAs(_subject, new JaasLdapLookupAction(_config, principal));
}
}
class JaasLdapLookupAction implements PrivilegedAction {
+ private KdcConfiguration _config;
private KerberosPrincipal _principal;
private PrincipalStoreEntry _entry;
- public JaasLdapLookupAction(KerberosPrincipal principal) {
+ public JaasLdapLookupAction(KdcConfiguration config, KerberosPrincipal principal) {
+ _config = config;
_principal = principal;
}
@@ -73,23 +79,8 @@
private void performJndiOperation() {
- // Set up environment for initial context
- Hashtable env = new Hashtable();
- env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
- env.put(Context.PROVIDER_URL, LocalConfig.JNDI_PROVIDER_URL);
- // Request that the key be returned as binary, not String
- env.put("java.naming.ldap.attributes.binary", "krb5Key");
- // Request the use of SASL-GSSAPI, using already established Kerberos credentials
- env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
- // Request mutual authentication
- env.put("javax.security.sasl.server.authentication", "true");
- // Request authentication with integrity and privacy protection
- env.put("javax.security.sasl.qop", "auth-conf");
- // Request high-strength cryptographic protection
- env.put("javax.security.sasl.strength", "high");
-
try {
- DirContext ctx = new InitialDirContext(env);
+ DirContext ctx = new InitialDirContext(_config.getProperties());
search(ctx);