You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by er...@apache.org on 2005/08/26 18:41:15 UTC
svn commit: r240282 - in
/directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/preauthentication:
./ PreAuthenticationChain.java VerifierBase.java
VerifyEncryptedTimestamp.java VerifySam.java
Author: erodriguez
Date: Fri Aug 26 09:41:10 2005
New Revision: 240282
URL: http://svn.apache.org/viewcvs?rev=240282&view=rev
Log:
Kerberos pre-authentication chain consisting of verifiers for SAM and PA_ENC_TIMESTAMP.
Added:
directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/preauthentication/
directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/preauthentication/PreAuthenticationChain.java (with props)
directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/preauthentication/VerifierBase.java (with props)
directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/preauthentication/VerifyEncryptedTimestamp.java (with props)
directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/preauthentication/VerifySam.java (with props)
Added: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/preauthentication/PreAuthenticationChain.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/preauthentication/PreAuthenticationChain.java?rev=240282&view=auto
==============================================================================
--- directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/preauthentication/PreAuthenticationChain.java (added)
+++ directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/preauthentication/PreAuthenticationChain.java Fri Aug 26 09:41:10 2005
@@ -0,0 +1,29 @@
+/*
+ * Copyright 2005 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package org.apache.kerberos.kdc.preauthentication;
+
+import org.apache.kerberos.chain.impl.ChainBase;
+
+public class PreAuthenticationChain extends ChainBase
+{
+ public PreAuthenticationChain()
+ {
+ super();
+ addCommand( new VerifySam() );
+ addCommand( new VerifyEncryptedTimestamp() );
+ }
+}
Propchange: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/preauthentication/PreAuthenticationChain.java
------------------------------------------------------------------------------
svn:eol-style = native
Added: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/preauthentication/VerifierBase.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/preauthentication/VerifierBase.java?rev=240282&view=auto
==============================================================================
--- directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/preauthentication/VerifierBase.java (added)
+++ directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/preauthentication/VerifierBase.java Fri Aug 26 09:41:10 2005
@@ -0,0 +1,71 @@
+/*
+ * Copyright 2005 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package org.apache.kerberos.kdc.preauthentication;
+
+import java.io.IOException;
+
+import org.apache.kerberos.chain.impl.CommandBase;
+import org.apache.kerberos.crypto.encryption.EncryptionType;
+import org.apache.kerberos.io.encoder.EncryptionTypeInfoEncoder;
+import org.apache.kerberos.io.encoder.PreAuthenticationDataEncoder;
+import org.apache.kerberos.messages.value.EncryptionTypeInfoEntry;
+import org.apache.kerberos.messages.value.PreAuthenticationData;
+import org.apache.kerberos.messages.value.PreAuthenticationDataModifier;
+import org.apache.kerberos.messages.value.PreAuthenticationDataType;
+
+public abstract class VerifierBase extends CommandBase
+{
+ public byte[] preparePreAuthenticationError()
+ {
+ PreAuthenticationData[] paDataSequence = new PreAuthenticationData[ 2 ];
+
+ PreAuthenticationDataModifier modifier = new PreAuthenticationDataModifier();
+ modifier.setDataType( PreAuthenticationDataType.PA_ENC_TIMESTAMP );
+ modifier.setDataValue( new byte[ 0 ] );
+
+ paDataSequence[ 0 ] = modifier.getPreAuthenticationData();
+
+ EncryptionTypeInfoEntry[] entries = new EncryptionTypeInfoEntry[ 1 ];
+ entries[ 0 ] = new EncryptionTypeInfoEntry( EncryptionType.DES_CBC_MD5, null );
+
+ byte[] encTypeInfo = null;
+
+ try
+ {
+ encTypeInfo = EncryptionTypeInfoEncoder.encode( entries );
+ }
+ catch ( IOException ioe )
+ {
+ return null;
+ }
+
+ PreAuthenticationDataModifier encTypeModifier = new PreAuthenticationDataModifier();
+ encTypeModifier.setDataType( PreAuthenticationDataType.PA_ENCTYPE_INFO );
+ encTypeModifier.setDataValue( encTypeInfo );
+
+ paDataSequence[ 1 ] = encTypeModifier.getPreAuthenticationData();
+
+ try
+ {
+ return PreAuthenticationDataEncoder.encode( paDataSequence );
+ }
+ catch ( IOException ioe )
+ {
+ return null;
+ }
+ }
+}
Propchange: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/preauthentication/VerifierBase.java
------------------------------------------------------------------------------
svn:eol-style = native
Added: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/preauthentication/VerifyEncryptedTimestamp.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/preauthentication/VerifyEncryptedTimestamp.java?rev=240282&view=auto
==============================================================================
--- directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/preauthentication/VerifyEncryptedTimestamp.java (added)
+++ directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/preauthentication/VerifyEncryptedTimestamp.java Fri Aug 26 09:41:10 2005
@@ -0,0 +1,150 @@
+/*
+ * Copyright 2005 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package org.apache.kerberos.kdc.preauthentication;
+
+import java.io.IOException;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.kerberos.chain.Context;
+import org.apache.kerberos.crypto.encryption.EncryptionEngine;
+import org.apache.kerberos.crypto.encryption.EncryptionEngineFactory;
+import org.apache.kerberos.exceptions.ErrorType;
+import org.apache.kerberos.exceptions.KerberosException;
+import org.apache.kerberos.io.decoder.EncryptedDataDecoder;
+import org.apache.kerberos.io.decoder.EncryptedTimestampDecoder;
+import org.apache.kerberos.kdc.authentication.AuthenticationContext;
+import org.apache.kerberos.messages.KdcRequest;
+import org.apache.kerberos.messages.value.EncryptedData;
+import org.apache.kerberos.messages.value.EncryptedTimeStamp;
+import org.apache.kerberos.messages.value.EncryptionKey;
+import org.apache.kerberos.messages.value.PreAuthenticationData;
+import org.apache.kerberos.messages.value.PreAuthenticationDataType;
+import org.apache.kerberos.service.KdcConfiguration;
+import org.apache.kerberos.store.PrincipalStoreEntry;
+
+public class VerifyEncryptedTimestamp extends VerifierBase
+{
+ /** the log for this class */
+ private static final Log log = LogFactory.getLog( VerifyEncryptedTimestamp.class );
+
+ public boolean execute( Context ctx ) throws Exception
+ {
+ AuthenticationContext authContext = (AuthenticationContext) ctx;
+
+ if ( authContext.getClientKey() != null )
+ {
+ return CONTINUE_CHAIN;
+ }
+
+ log.debug( "Verifying using encrypted timestamp." );
+ KdcConfiguration config = authContext.getConfig();
+ KdcRequest request = authContext.getRequest();
+ PrincipalStoreEntry clientEntry = authContext.getClientEntry();
+ String clientName = clientEntry.getPrincipal().getName();
+
+ EncryptionKey clientKey = null;
+
+ if ( clientEntry.getSamType() == null )
+ {
+ if ( log.isDebugEnabled() )
+ {
+ log.debug( "entry for client principal " + clientName
+ + " has no SAM type: proceeding with standard pre-authentication" );
+ }
+
+ clientKey = clientEntry.getEncryptionKey();
+
+ if ( clientKey == null )
+ {
+ throw new KerberosException( ErrorType.KDC_ERR_NULL_KEY );
+ }
+
+ if ( config.isPaEncTimestampRequired() )
+ {
+ PreAuthenticationData[] preAuthData = request.getPreAuthData();
+
+ if ( preAuthData == null )
+ {
+ throw new KerberosException( ErrorType.KDC_ERR_PREAUTH_REQUIRED,
+ preparePreAuthenticationError() );
+ }
+
+ EncryptedTimeStamp timestamp = null;
+
+ for ( int ii = 0; ii < preAuthData.length; ii++ )
+ {
+ if ( preAuthData[ ii ].getDataType().equals(
+ PreAuthenticationDataType.PA_ENC_TIMESTAMP ) )
+ {
+ try
+ {
+ EncryptedData dataValue = EncryptedDataDecoder.decode( preAuthData[ ii ]
+ .getDataValue() );
+ EncryptionEngine engine = EncryptionEngineFactory
+ .getEncryptionEngineFor( clientKey );
+ byte[] decTimestamp = engine.getDecryptedData( clientKey, dataValue );
+
+ EncryptedTimestampDecoder timeStampDecoder = new EncryptedTimestampDecoder();
+ timestamp = timeStampDecoder.decode( decTimestamp );
+ }
+ catch ( KerberosException ke )
+ {
+ throw new KerberosException( ErrorType.KRB_AP_ERR_BAD_INTEGRITY );
+ }
+ catch ( IOException ioe )
+ {
+ throw new KerberosException( ErrorType.KRB_AP_ERR_BAD_INTEGRITY );
+ }
+ catch ( ClassCastException cce )
+ {
+ throw new KerberosException( ErrorType.KRB_AP_ERR_BAD_INTEGRITY );
+ }
+ }
+ }
+
+ if ( timestamp == null )
+ {
+ throw new KerberosException( ErrorType.KDC_ERR_PREAUTH_REQUIRED,
+ preparePreAuthenticationError() );
+ }
+
+ if ( !timestamp.getTimeStamp().isInClockSkew( config.getClockSkew() ) )
+ {
+ throw new KerberosException( ErrorType.KDC_ERR_PREAUTH_FAILED );
+ }
+
+ /*
+ if(decrypted_enc_timestamp and usec is replay)
+ error_out(KDC_ERR_PREAUTH_FAILED);
+ endif
+
+ add decrypted_enc_timestamp and usec to replay cache;
+ */
+ }
+ }
+
+ authContext.setClientKey( clientKey );
+
+ if ( log.isDebugEnabled() )
+ {
+ log.debug( "Pre-authentication by encrypted timestamp successful for " + clientName + "." );
+ }
+
+ return CONTINUE_CHAIN;
+ }
+}
Propchange: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/preauthentication/VerifyEncryptedTimestamp.java
------------------------------------------------------------------------------
svn:eol-style = native
Added: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/preauthentication/VerifySam.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/preauthentication/VerifySam.java?rev=240282&view=auto
==============================================================================
--- directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/preauthentication/VerifySam.java (added)
+++ directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/preauthentication/VerifySam.java Fri Aug 26 09:41:10 2005
@@ -0,0 +1,103 @@
+/*
+ * Copyright 2005 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package org.apache.kerberos.kdc.preauthentication;
+
+import javax.security.auth.kerberos.KerberosKey;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.kerberos.chain.Context;
+import org.apache.kerberos.crypto.encryption.EncryptionType;
+import org.apache.kerberos.exceptions.ErrorType;
+import org.apache.kerberos.exceptions.KerberosException;
+import org.apache.kerberos.kdc.authentication.AuthenticationContext;
+import org.apache.kerberos.messages.KdcRequest;
+import org.apache.kerberos.messages.value.EncryptionKey;
+import org.apache.kerberos.messages.value.PreAuthenticationData;
+import org.apache.kerberos.messages.value.PreAuthenticationDataType;
+import org.apache.kerberos.sam.SamException;
+import org.apache.kerberos.sam.SamSubsystem;
+import org.apache.kerberos.sam.TimestampChecker;
+import org.apache.kerberos.store.PrincipalStoreEntry;
+
+public class VerifySam extends VerifierBase
+{
+ /** the log for this class */
+ private static final Log log = LogFactory.getLog( VerifySam.class );
+
+ static
+ {
+ log.debug( "Initializing SAM subsystem" );
+ SamSubsystem.getInstance().setIntegrityChecker( new TimestampChecker() );
+ }
+
+ public boolean execute( Context ctx ) throws Exception
+ {
+ log.debug( "Verifying using SAM subsystem." );
+ AuthenticationContext authContext = (AuthenticationContext) ctx;
+ KdcRequest request = authContext.getRequest();
+ PrincipalStoreEntry clientEntry = authContext.getClientEntry();
+ String clientName = clientEntry.getPrincipal().getName();
+
+ EncryptionKey clientKey = null;
+
+ if ( clientEntry.getSamType() != null )
+ {
+ if ( log.isDebugEnabled() )
+ {
+ log.debug( "entry for client principal " + clientName
+ + " has a valid SAM type: invoking SAM subsystem for pre-authentication" );
+ }
+
+ PreAuthenticationData[] preAuthData = request.getPreAuthData();
+
+ if ( preAuthData == null || preAuthData.length == 0 )
+ {
+ throw new KerberosException( ErrorType.KDC_ERR_PREAUTH_REQUIRED,
+ preparePreAuthenticationError() );
+ }
+
+ try
+ {
+ for ( int ii = 0; ii < preAuthData.length; ii++ )
+ {
+ if ( preAuthData[ ii ].getDataType().equals(
+ PreAuthenticationDataType.PA_ENC_TIMESTAMP ) )
+ {
+ KerberosKey samKey = SamSubsystem.getInstance().verify( clientEntry,
+ preAuthData[ ii ].getDataValue() );
+ clientKey = new EncryptionKey( EncryptionType.getTypeByOrdinal( samKey
+ .getKeyType() ), samKey.getEncoded() );
+ }
+ }
+ }
+ catch ( SamException se )
+ {
+ throw new KerberosException( ErrorType.KRB_ERR_GENERIC, se.getMessage() );
+ }
+
+ authContext.setClientKey( clientKey );
+
+ if ( log.isDebugEnabled() )
+ {
+ log.debug( "Pre-authentication using SAM subsystem successful for " + clientName + "." );
+ }
+ }
+
+ return CONTINUE_CHAIN;
+ }
+}
Propchange: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/preauthentication/VerifySam.java
------------------------------------------------------------------------------
svn:eol-style = native