svn commit: r558298 - /directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/service/VerifyAuthHeader.java

[er...@apache.org]

Author: erodriguez
Date: Sat Jul 21 04:17:03 2007
New Revision: 558298

URL: http://svn.apache.org/viewvc?view=rev&rev=558298
Log:
Enhanced auth header verification to support new replay cache elements and to allow ticket validation by ticket-granting service.

Modified:
    directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/service/VerifyAuthHeader.java

Modified: directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/service/VerifyAuthHeader.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/service/VerifyAuthHeader.java?view=diff&rev=558298&r1=558297&r2=558298
==============================================================================
--- directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/service/VerifyAuthHeader.java (original)
+++ directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/service/VerifyAuthHeader.java Sat Jul 21 04:17:03 2007
@@ -22,6 +22,8 @@
 
 import java.net.InetAddress;
 
+import javax.security.auth.kerberos.KerberosPrincipal;
+
 import org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler;
 import org.apache.directory.server.kerberos.shared.crypto.encryption.KeyUsage;
 import org.apache.directory.server.kerberos.shared.exceptions.ErrorType;
@@ -63,12 +65,13 @@
      * @param clientAddress
      * @param lockBox
      * @param authenticatorKeyUsage
+     * @param isValidate
      * @return The authenticator.
      * @throws KerberosException
      */
     public Authenticator verifyAuthHeader( ApplicationRequest authHeader, Ticket ticket, EncryptionKey serverKey,
         long clockSkew, ReplayCache replayCache, boolean emptyAddressesAllowed, InetAddress clientAddress,
-        CipherTextHandler lockBox, KeyUsage authenticatorKeyUsage ) throws KerberosException
+        CipherTextHandler lockBox, KeyUsage authenticatorKeyUsage, boolean isValidate ) throws KerberosException
     {
         if ( authHeader.getProtocolVersionNumber() != 5 )
         {
@@ -134,27 +137,42 @@
             }
         }
 
-        if ( replayCache.isReplay( authenticator.getClientTime(), authenticator.getClientPrincipal() ) )
+        KerberosPrincipal serverPrincipal = ticket.getServerPrincipal();
+        KerberosPrincipal clientPrincipal = authenticator.getClientPrincipal();
+        KerberosTime clientTime = authenticator.getClientTime();
+        int clientMicroSeconds = authenticator.getClientMicroSecond();
+
+        if ( replayCache.isReplay( serverPrincipal, clientPrincipal, clientTime, clientMicroSeconds ) )
         {
             throw new KerberosException( ErrorType.KRB_AP_ERR_REPEAT );
         }
 
-        replayCache.save( authenticator.getClientTime(), authenticator.getClientPrincipal() );
+        replayCache.save( serverPrincipal, clientPrincipal, clientTime, clientMicroSeconds );
 
         if ( !authenticator.getClientTime().isInClockSkew( clockSkew ) )
         {
             throw new KerberosException( ErrorType.KRB_AP_ERR_SKEW );
         }
 
-        if ( ticket.getStartTime() != null && !ticket.getStartTime().isInClockSkew( clockSkew )
-            || ticket.getFlag( TicketFlags.INVALID ) )
+        /*
+         * "The server computes the age of the ticket: local (server) time minus
+         * the starttime inside the Ticket.  If the starttime is later than the
+         * current time by more than the allowable clock skew, or if the INVALID
+         * flag is set in the ticket, the KRB_AP_ERR_TKT_NYV error is returned."
+         */
+        KerberosTime startTime = ( ticket.getStartTime() != null ) ? ticket.getStartTime() : ticket.getAuthTime();
+
+        KerberosTime now = new KerberosTime();
+        boolean isValidStartTime = startTime.lessThan( now );
+
+        if ( !isValidStartTime || ( ticket.getFlag( TicketFlags.INVALID ) && !isValidate ) )
         {
             // it hasn't yet become valid
             throw new KerberosException( ErrorType.KRB_AP_ERR_TKT_NYV );
         }
 
         // TODO - doesn't take into account skew
-        if ( !ticket.getEndTime().greaterThan( new KerberosTime() ) )
+        if ( !ticket.getEndTime().greaterThan( now ) )
         {
             throw new KerberosException( ErrorType.KRB_AP_ERR_TKT_EXPIRED );
         }