You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by el...@apache.org on 2007/09/24 12:18:45 UTC
svn commit: r578743 [11/12] - in
/directory/apacheds/branches/apacheds-kerberos: kerberos-shared/
kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/
kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypt...
Modified: directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/GenerateTicket.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/GenerateTicket.java?rev=578743&r1=578742&r2=578743&view=diff
==============================================================================
--- directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/GenerateTicket.java (original)
+++ directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/GenerateTicket.java Mon Sep 24 03:18:05 2007
@@ -27,18 +27,18 @@
import org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionType;
import org.apache.directory.server.kerberos.shared.crypto.encryption.KeyUsage;
import org.apache.directory.server.kerberos.shared.crypto.encryption.RandomKeyFactory;
-import org.apache.directory.server.kerberos.shared.exceptions.ErrorType;
import org.apache.directory.server.kerberos.shared.exceptions.KerberosException;
import org.apache.directory.server.kerberos.shared.messages.KdcRequest;
import org.apache.directory.server.kerberos.shared.messages.components.EncTicketPart;
-import org.apache.directory.server.kerberos.shared.messages.components.EncTicketPartModifier;
import org.apache.directory.server.kerberos.shared.messages.components.Ticket;
import org.apache.directory.server.kerberos.shared.messages.value.EncryptedData;
import org.apache.directory.server.kerberos.shared.messages.value.EncryptionKey;
-import org.apache.directory.server.kerberos.shared.messages.value.KdcOptions;
import org.apache.directory.server.kerberos.shared.messages.value.KerberosTime;
-import org.apache.directory.server.kerberos.shared.messages.value.TicketFlags;
+import org.apache.directory.server.kerberos.shared.messages.value.PrincipalName;
import org.apache.directory.server.kerberos.shared.messages.value.TransitedEncoding;
+import org.apache.directory.server.kerberos.shared.messages.value.flags.KdcOption;
+import org.apache.directory.server.kerberos.shared.messages.value.flags.TicketFlag;
+import org.apache.directory.server.kerberos.shared.messages.value.types.KerberosErrorType;
import org.apache.mina.common.IoSession;
import org.apache.mina.handler.chain.IoHandlerCommand;
import org.slf4j.Logger;
@@ -63,114 +63,71 @@
KdcRequest request = authContext.getRequest();
CipherTextHandler cipherTextHandler = authContext.getCipherTextHandler();
- KerberosPrincipal serverPrincipal = request.getServerPrincipal();
+ PrincipalName serverPrincipal = request.getServerPrincipalName();
EncryptionType encryptionType = authContext.getEncryptionType();
EncryptionKey serverKey = authContext.getServerEntry().getKeyMap().get( encryptionType );
KerberosPrincipal ticketPrincipal = request.getServerPrincipal();
- EncTicketPartModifier newTicketBody = new EncTicketPartModifier();
+ EncTicketPart ticketPart = new EncTicketPart();
KdcConfiguration config = authContext.getConfig();
// The INITIAL flag indicates that a ticket was issued using the AS protocol.
- newTicketBody.setFlag( TicketFlags.INITIAL );
+ ticketPart.setFlag( TicketFlag.INITIAL );
// The PRE-AUTHENT flag indicates that the client used pre-authentication.
if ( authContext.isPreAuthenticated() )
{
- newTicketBody.setFlag( TicketFlags.PRE_AUTHENT );
+ ticketPart.setFlag( TicketFlag.PRE_AUTHENT );
}
- if ( request.getOption( KdcOptions.FORWARDABLE ) )
+ if ( request.getKdcOptions().isFlagSet( KdcOption.FORWARDABLE ) )
{
- if ( !config.isForwardableAllowed() )
- {
- throw new KerberosException( ErrorType.KDC_ERR_POLICY );
- }
-
- newTicketBody.setFlag( TicketFlags.FORWARDABLE );
+ ticketPart.setFlag( TicketFlag.FORWARDABLE );
}
- if ( request.getOption( KdcOptions.PROXIABLE ) )
+ if ( request.getKdcOptions().isFlagSet( KdcOption.PROXIABLE ) )
{
- if ( !config.isProxiableAllowed() )
- {
- throw new KerberosException( ErrorType.KDC_ERR_POLICY );
- }
-
- newTicketBody.setFlag( TicketFlags.PROXIABLE );
+ ticketPart.setFlag( TicketFlag.PROXIABLE );
}
- if ( request.getOption( KdcOptions.ALLOW_POSTDATE ) )
+ if ( request.getKdcOptions().isFlagSet( KdcOption.ALLOW_POSTDATE ) )
{
- if ( !config.isPostdatedAllowed() )
- {
- throw new KerberosException( ErrorType.KDC_ERR_POLICY );
- }
-
- newTicketBody.setFlag( TicketFlags.MAY_POSTDATE );
+ ticketPart.setFlag( TicketFlag.MAY_POSTDATE );
}
- if ( request.getOption( KdcOptions.RENEW ) || request.getOption( KdcOptions.VALIDATE )
- || request.getOption( KdcOptions.PROXY ) || request.getOption( KdcOptions.FORWARDED )
- || request.getOption( KdcOptions.ENC_TKT_IN_SKEY ) )
+ if ( request.getKdcOptions().isFlagSet( KdcOption.RENEW ) ||
+ request.getKdcOptions().isFlagSet( KdcOption.VALIDATE ) ||
+ request.getKdcOptions().isFlagSet( KdcOption.PROXY ) ||
+ request.getKdcOptions().isFlagSet( KdcOption.FORWARDED ) ||
+ request.getKdcOptions().isFlagSet( KdcOption.ENC_TKT_IN_SKEY ) )
{
- throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
+ throw new KerberosException( KerberosErrorType.KDC_ERR_BADOPTION );
}
EncryptionKey sessionKey = RandomKeyFactory.getRandomKey( authContext.getEncryptionType() );
- newTicketBody.setSessionKey( sessionKey );
+ ticketPart.setSessionKey( sessionKey );
- newTicketBody.setClientPrincipal( request.getClientPrincipal() );
- newTicketBody.setTransitedEncoding( new TransitedEncoding() );
+ ticketPart.setClientPrincipal( request.getClientPrincipal() );
+ ticketPart.setTransitedEncoding( new TransitedEncoding() );
KerberosTime now = new KerberosTime();
+ ticketPart.setAuthTime( now );
- newTicketBody.setAuthTime( now );
-
- KerberosTime startTime = request.getFrom();
-
- /*
- * "If the requested starttime is absent, indicates a time in the past,
- * or is within the window of acceptable clock skew for the KDC and the
- * POSTDATE option has not been specified, then the starttime of the
- * ticket is set to the authentication server's current time."
- */
- if ( startTime == null || startTime.lessThan( now ) || startTime.isInClockSkew( config.getAllowableClockSkew() )
- && !request.getOption( KdcOptions.POSTDATED ) )
- {
- startTime = now;
- }
-
- /*
- * "If it indicates a time in the future beyond the acceptable clock skew,
- * but the POSTDATED option has not been specified, then the error
- * KDC_ERR_CANNOT_POSTDATE is returned."
- */
- if ( startTime != null && startTime.greaterThan( now )
- && !startTime.isInClockSkew( config.getAllowableClockSkew() ) && !request.getOption( KdcOptions.POSTDATED ) )
+ if ( request.getKdcOptions().isFlagSet( KdcOption.POSTDATED ) )
{
- throw new KerberosException( ErrorType.KDC_ERR_CANNOT_POSTDATE );
- }
-
- /*
- * "Otherwise the requested starttime is checked against the policy of the
- * local realm and if the ticket's starttime is acceptable, it is set as
- * requested, and the INVALID flag is set in the new ticket."
- */
- if ( request.getOption( KdcOptions.POSTDATED ) )
- {
- if ( !config.isPostdatedAllowed() )
+ // TODO - possibly allow req.from range
+ if ( !config.isPostdateAllowed() )
{
- throw new KerberosException( ErrorType.KDC_ERR_POLICY );
+ throw new KerberosException( KerberosErrorType.KDC_ERR_POLICY );
}
- newTicketBody.setFlag( TicketFlags.POSTDATED );
- newTicketBody.setFlag( TicketFlags.INVALID );
- newTicketBody.setStartTime( startTime );
+ ticketPart.setFlag( TicketFlag.INVALID );
+ ticketPart.setStartTime( request.getFrom() );
}
long till = 0;
+
if ( request.getTill().getTime() == 0 )
{
till = Long.MAX_VALUE;
@@ -179,87 +136,53 @@
{
till = request.getTill().getTime();
}
-
- /*
- * The end time is the minimum of (a) the requested till time or (b)
- * the start time plus maximum lifetime as configured in policy.
- */
- long endTime = Math.min( till, startTime.getTime() + config.getMaximumTicketLifetime() );
+
+ long endTime = Math.min( now.getTime() + config.getMaximumTicketLifetime(), till );
KerberosTime kerberosEndTime = new KerberosTime( endTime );
- newTicketBody.setEndTime( kerberosEndTime );
+ ticketPart.setEndTime( kerberosEndTime );
- /*
- * "If the requested expiration time minus the starttime (as determined
- * above) is less than a site-determined minimum lifetime, an error
- * message with code KDC_ERR_NEVER_VALID is returned."
- */
- if ( kerberosEndTime.lessThan( startTime ) )
+ long tempRenewtime = 0;
+
+ if ( request.getKdcOptions().isFlagSet( KdcOption.RENEWABLE_OK ) &&
+ request.getTill().greaterThan( kerberosEndTime ) )
{
- throw new KerberosException( ErrorType.KDC_ERR_NEVER_VALID );
+ request.getKdcOptions().setFlag( KdcOption.RENEWABLE );
+ tempRenewtime = request.getTill().getTime();
}
- long ticketLifeTime = Math.abs( startTime.getTime() - kerberosEndTime.getTime() );
- if ( ticketLifeTime < config.getAllowableClockSkew() )
+ if ( tempRenewtime == 0 || request.getRenewtime() == null )
{
- throw new KerberosException( ErrorType.KDC_ERR_NEVER_VALID );
+ tempRenewtime = request.getTill().getTime();
}
-
- /*
- * "If the requested expiration time for the ticket exceeds what was determined
- * as above, and if the 'RENEWABLE-OK' option was requested, then the 'RENEWABLE'
- * flag is set in the new ticket, and the renew-till value is set as if the
- * 'RENEWABLE' option were requested."
- */
- KerberosTime tempRtime = request.getRtime();
-
- if ( request.getOption( KdcOptions.RENEWABLE_OK ) && request.getTill().greaterThan( kerberosEndTime ) )
+ else
{
- if ( !config.isRenewableAllowed() )
- {
- throw new KerberosException( ErrorType.KDC_ERR_POLICY );
- }
-
- request.setOption( KdcOptions.RENEWABLE );
- tempRtime = request.getTill();
+ tempRenewtime = request.getRenewtime().getTime();
}
- if ( request.getOption( KdcOptions.RENEWABLE ) )
+ if ( request.getKdcOptions().isFlagSet( KdcOption.RENEWABLE ) )
{
- if ( !config.isRenewableAllowed() )
- {
- throw new KerberosException( ErrorType.KDC_ERR_POLICY );
- }
+ ticketPart.setFlag( TicketFlag.RENEWABLE );
- newTicketBody.setFlag( TicketFlags.RENEWABLE );
+ /*
+ * 'from' KerberosTime is OPTIONAL
+ */
+ KerberosTime fromTime = request.getFrom();
- if ( tempRtime == null || tempRtime.isZero() )
+ if ( fromTime == null )
{
- tempRtime = KerberosTime.INFINITY;
+ fromTime = new KerberosTime();
}
- /*
- * The renew-till time is the minimum of (a) the requested renew-till
- * time or (b) the start time plus maximum renewable lifetime as
- * configured in policy.
- */
- long renewTill = Math.min( tempRtime.getTime(), startTime.getTime() + config.getMaximumRenewableLifetime() );
- newTicketBody.setRenewTill( new KerberosTime( renewTill ) );
+ long renewTill = Math.min( fromTime.getTime() + config.getMaximumRenewableLifetime(), tempRenewtime );
+ ticketPart.setRenewTill( new KerberosTime( renewTill ) );
}
- if ( request.getAddresses() != null && request.getAddresses().getAddresses() != null
- && request.getAddresses().getAddresses().length > 0 )
- {
- newTicketBody.setClientAddresses( request.getAddresses() );
- }
- else
+ if ( request.getAddresses() != null )
{
- if ( !config.isEmptyAddressesAllowed() )
- {
- throw new KerberosException( ErrorType.KDC_ERR_POLICY );
- }
+ ticketPart.setClientAddresses( request.getAddresses() );
}
- EncTicketPart ticketPart = newTicketBody.getEncTicketPart();
+ //EncTicketPart ticketPart = newTicketBody.getEncTicketPart();
EncryptedData encryptedData = cipherTextHandler.seal( serverKey, ticketPart, KeyUsage.NUMBER2 );
Modified: directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/GetClientEntry.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/GetClientEntry.java?rev=578743&r1=578742&r2=578743&view=diff
==============================================================================
--- directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/GetClientEntry.java (original)
+++ directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/GetClientEntry.java Mon Sep 24 03:18:05 2007
@@ -22,7 +22,7 @@
import javax.security.auth.kerberos.KerberosPrincipal;
-import org.apache.directory.server.kerberos.shared.exceptions.ErrorType;
+import org.apache.directory.server.kerberos.shared.messages.value.types.KerberosErrorType;
import org.apache.directory.server.kerberos.shared.service.GetPrincipalStoreEntry;
import org.apache.directory.server.kerberos.shared.store.PrincipalStore;
import org.apache.mina.common.IoSession;
@@ -41,7 +41,7 @@
KerberosPrincipal principal = authContext.getRequest().getClientPrincipal();
PrincipalStore store = authContext.getStore();
- authContext.setClientEntry( getEntry( principal, store, ErrorType.KDC_ERR_C_PRINCIPAL_UNKNOWN ) );
+ authContext.setClientEntry( getEntry( principal, store, KerberosErrorType.KDC_ERR_C_PRINCIPAL_UNKNOWN ) );
next.execute( session, message );
}
Modified: directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/GetServerEntry.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/GetServerEntry.java?rev=578743&r1=578742&r2=578743&view=diff
==============================================================================
--- directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/GetServerEntry.java (original)
+++ directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/GetServerEntry.java Mon Sep 24 03:18:05 2007
@@ -22,7 +22,7 @@
import javax.security.auth.kerberos.KerberosPrincipal;
-import org.apache.directory.server.kerberos.shared.exceptions.ErrorType;
+import org.apache.directory.server.kerberos.shared.messages.value.types.KerberosErrorType;
import org.apache.directory.server.kerberos.shared.service.GetPrincipalStoreEntry;
import org.apache.directory.server.kerberos.shared.store.PrincipalStore;
import org.apache.mina.common.IoSession;
@@ -41,7 +41,7 @@
KerberosPrincipal principal = authContext.getRequest().getServerPrincipal();
PrincipalStore store = authContext.getStore();
- authContext.setServerEntry( getEntry( principal, store, ErrorType.KDC_ERR_S_PRINCIPAL_UNKNOWN ) );
+ authContext.setServerEntry( getEntry( principal, store, KerberosErrorType.KDC_ERR_S_PRINCIPAL_UNKNOWN ) );
next.execute( session, message );
}
Modified: directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/SealReply.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/SealReply.java?rev=578743&r1=578742&r2=578743&view=diff
==============================================================================
--- directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/SealReply.java (original)
+++ directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/SealReply.java Mon Sep 24 03:18:05 2007
@@ -22,7 +22,7 @@
import org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler;
import org.apache.directory.server.kerberos.shared.crypto.encryption.KeyUsage;
-import org.apache.directory.server.kerberos.shared.messages.AuthenticationReply;
+import org.apache.directory.server.kerberos.shared.messages.AuthServerReply;
import org.apache.directory.server.kerberos.shared.messages.value.EncryptedData;
import org.apache.directory.server.kerberos.shared.messages.value.EncryptionKey;
import org.apache.mina.common.IoSession;
@@ -42,7 +42,7 @@
{
AuthenticationContext authContext = ( AuthenticationContext ) session.getAttribute( getContextKey() );
- AuthenticationReply reply = ( AuthenticationReply ) authContext.getReply();
+ AuthServerReply reply = ( AuthServerReply ) authContext.getReply();
EncryptionKey clientKey = authContext.getClientKey();
CipherTextHandler cipherTextHandler = authContext.getCipherTextHandler();
Modified: directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/VerifyPolicy.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/VerifyPolicy.java?rev=578743&r1=578742&r2=578743&view=diff
==============================================================================
--- directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/VerifyPolicy.java (original)
+++ directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/VerifyPolicy.java Mon Sep 24 03:18:05 2007
@@ -22,8 +22,8 @@
import java.util.Date;
-import org.apache.directory.server.kerberos.shared.exceptions.ErrorType;
import org.apache.directory.server.kerberos.shared.exceptions.KerberosException;
+import org.apache.directory.server.kerberos.shared.messages.value.types.KerberosErrorType;
import org.apache.directory.server.kerberos.shared.store.PrincipalStoreEntry;
import org.apache.mina.common.IoSession;
import org.apache.mina.handler.chain.IoHandlerCommand;
@@ -45,17 +45,17 @@
if ( entry.isDisabled() )
{
- throw new KerberosException( ErrorType.KDC_ERR_CLIENT_REVOKED );
+ throw new KerberosException( KerberosErrorType.KDC_ERR_CLIENT_REVOKED );
}
if ( entry.isLockedOut() )
{
- throw new KerberosException( ErrorType.KDC_ERR_CLIENT_REVOKED );
+ throw new KerberosException( KerberosErrorType.KDC_ERR_CLIENT_REVOKED );
}
if ( entry.getExpiration().getTime() < new Date().getTime() )
{
- throw new KerberosException( ErrorType.KDC_ERR_CLIENT_REVOKED );
+ throw new KerberosException( KerberosErrorType.KDC_ERR_CLIENT_REVOKED );
}
next.execute( session, message );
Modified: directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/preauthentication/VerifierBase.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/preauthentication/VerifierBase.java?rev=578743&r1=578742&r2=578743&view=diff
==============================================================================
--- directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/preauthentication/VerifierBase.java (original)
+++ directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/preauthentication/VerifierBase.java Mon Sep 24 03:18:05 2007
@@ -27,8 +27,7 @@
import org.apache.directory.server.kerberos.shared.io.encoder.PreAuthenticationDataEncoder;
import org.apache.directory.server.kerberos.shared.messages.value.EncryptionTypeInfoEntry;
import org.apache.directory.server.kerberos.shared.messages.value.PreAuthenticationData;
-import org.apache.directory.server.kerberos.shared.messages.value.PreAuthenticationDataModifier;
-import org.apache.directory.server.kerberos.shared.messages.value.PreAuthenticationDataType;
+import org.apache.directory.server.kerberos.shared.messages.value.types.PreAuthenticationDataType;
import org.apache.mina.handler.chain.IoHandlerCommand;
@@ -52,13 +51,12 @@
{
PreAuthenticationData[] paDataSequence = new PreAuthenticationData[2];
- PreAuthenticationDataModifier modifier = new PreAuthenticationDataModifier();
- modifier.setDataType( PreAuthenticationDataType.PA_ENC_TIMESTAMP );
- modifier.setDataValue( new byte[0] );
+ PreAuthenticationData preAuthData = new PreAuthenticationData( PreAuthenticationDataType.PA_ENC_TIMESTAMP, new byte[0] );
- paDataSequence[0] = modifier.getPreAuthenticationData();
+ paDataSequence[0] = preAuthData;
EncryptionTypeInfoEntry[] entries = new EncryptionTypeInfoEntry[encryptionTypes.length];
+
for ( int ii = 0; ii < encryptionTypes.length; ii++ )
{
entries[ii] = new EncryptionTypeInfoEntry( encryptionTypes[ii], null );
@@ -75,11 +73,10 @@
return null;
}
- PreAuthenticationDataModifier encTypeModifier = new PreAuthenticationDataModifier();
- encTypeModifier.setDataType( PreAuthenticationDataType.PA_ETYPE_INFO );
- encTypeModifier.setDataValue( encTypeInfo );
+ PreAuthenticationData encType = new PreAuthenticationData(
+ PreAuthenticationDataType.PA_ENCTYPE_INFO, encTypeInfo );
- paDataSequence[1] = encTypeModifier.getPreAuthenticationData();
+ paDataSequence[1] = encType;
try
{
Modified: directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/preauthentication/VerifyEncryptedTimestamp.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/preauthentication/VerifyEncryptedTimestamp.java?rev=578743&r1=578742&r2=578743&view=diff
==============================================================================
--- directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/preauthentication/VerifyEncryptedTimestamp.java (original)
+++ directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/preauthentication/VerifyEncryptedTimestamp.java Mon Sep 24 03:18:05 2007
@@ -21,21 +21,22 @@
import java.io.IOException;
+import java.util.List;
import org.apache.directory.server.kerberos.kdc.KdcConfiguration;
import org.apache.directory.server.kerberos.kdc.authentication.AuthenticationContext;
import org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler;
import org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionType;
import org.apache.directory.server.kerberos.shared.crypto.encryption.KeyUsage;
-import org.apache.directory.server.kerberos.shared.exceptions.ErrorType;
import org.apache.directory.server.kerberos.shared.exceptions.KerberosException;
import org.apache.directory.server.kerberos.shared.io.decoder.EncryptedDataDecoder;
import org.apache.directory.server.kerberos.shared.messages.KdcRequest;
import org.apache.directory.server.kerberos.shared.messages.value.EncryptedData;
-import org.apache.directory.server.kerberos.shared.messages.value.EncryptedTimeStamp;
+import org.apache.directory.server.kerberos.shared.messages.value.PreAuthEncryptedTimestamp;
import org.apache.directory.server.kerberos.shared.messages.value.EncryptionKey;
import org.apache.directory.server.kerberos.shared.messages.value.PreAuthenticationData;
-import org.apache.directory.server.kerberos.shared.messages.value.PreAuthenticationDataType;
+import org.apache.directory.server.kerberos.shared.messages.value.types.KerberosErrorType;
+import org.apache.directory.server.kerberos.shared.messages.value.types.PreAuthenticationDataType;
import org.apache.directory.server.kerberos.shared.store.PrincipalStoreEntry;
import org.apache.mina.common.IoSession;
import org.slf4j.Logger;
@@ -74,9 +75,7 @@
{
if ( log.isDebugEnabled() )
{
- log.debug(
- "Entry for client principal {} has no SAM type. Proceeding with standard pre-authentication.",
- clientName );
+ log.debug( "Entry for client principal {} has no SAM type. Proceeding with standard pre-authentication.", clientName );
}
EncryptionType encryptionType = authContext.getEncryptionType();
@@ -84,68 +83,55 @@
if ( clientKey == null )
{
- throw new KerberosException( ErrorType.KDC_ERR_NULL_KEY );
+ throw new KerberosException( KerberosErrorType.KDC_ERR_NULL_KEY );
}
if ( config.isPaEncTimestampRequired() )
{
- PreAuthenticationData[] preAuthData = request.getPreAuthData();
+ List<PreAuthenticationData> preAuthDatas = request.getPreAuthData();
- if ( preAuthData == null )
+ if ( preAuthDatas == null )
{
- throw new KerberosException( ErrorType.KDC_ERR_PREAUTH_REQUIRED,
+ throw new KerberosException( KerberosErrorType.KDC_ERR_PREAUTH_REQUIRED,
preparePreAuthenticationError( config.getEncryptionTypes() ) );
}
- EncryptedTimeStamp timestamp = null;
+ PreAuthEncryptedTimestamp timestamp = null;
- for ( int ii = 0; ii < preAuthData.length; ii++ )
+ for ( PreAuthenticationData preAuthData:preAuthDatas )
{
- if ( preAuthData[ii].getDataType().equals( PreAuthenticationDataType.PA_ENC_TIMESTAMP ) )
+ if ( preAuthData.getDataType().equals( PreAuthenticationDataType.PA_ENC_TIMESTAMP ) )
{
EncryptedData dataValue;
try
{
- dataValue = EncryptedDataDecoder.decode( preAuthData[ii].getDataValue() );
+ dataValue = EncryptedDataDecoder.decode( preAuthData.getDataValue() );
}
catch ( IOException ioe )
{
- throw new KerberosException( ErrorType.KRB_AP_ERR_BAD_INTEGRITY, ioe );
+ throw new KerberosException( KerberosErrorType.KRB_AP_ERR_BAD_INTEGRITY, ioe );
}
catch ( ClassCastException cce )
{
- throw new KerberosException( ErrorType.KRB_AP_ERR_BAD_INTEGRITY, cce );
+ throw new KerberosException( KerberosErrorType.KRB_AP_ERR_BAD_INTEGRITY, cce );
}
- timestamp = ( EncryptedTimeStamp ) cipherTextHandler.unseal( EncryptedTimeStamp.class,
+ timestamp = ( PreAuthEncryptedTimestamp ) cipherTextHandler.unseal( PreAuthEncryptedTimestamp.class,
clientKey, dataValue, KeyUsage.NUMBER1 );
}
}
- if ( preAuthData.length > 0 && timestamp == null )
- {
- throw new KerberosException( ErrorType.KDC_ERR_PADATA_TYPE_NOSUPP );
- }
-
if ( timestamp == null )
{
- throw new KerberosException( ErrorType.KDC_ERR_PREAUTH_REQUIRED,
+ throw new KerberosException( KerberosErrorType.KDC_ERR_PREAUTH_REQUIRED,
preparePreAuthenticationError( config.getEncryptionTypes() ) );
}
if ( !timestamp.getTimeStamp().isInClockSkew( config.getAllowableClockSkew() ) )
{
- throw new KerberosException( ErrorType.KDC_ERR_PREAUTH_FAILED );
+ throw new KerberosException( KerberosErrorType.KDC_ERR_PREAUTH_FAILED );
}
-
- /*
- * if(decrypted_enc_timestamp and usec is replay)
- * error_out(KDC_ERR_PREAUTH_FAILED);
- * endif
- *
- * add decrypted_enc_timestamp and usec to replay cache;
- */
}
}
Modified: directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/preauthentication/VerifySam.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/preauthentication/VerifySam.java?rev=578743&r1=578742&r2=578743&view=diff
==============================================================================
--- directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/preauthentication/VerifySam.java (original)
+++ directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/preauthentication/VerifySam.java Mon Sep 24 03:18:05 2007
@@ -20,6 +20,8 @@
package org.apache.directory.server.kerberos.kdc.preauthentication;
+import java.util.List;
+
import javax.security.auth.kerberos.KerberosKey;
import org.apache.directory.server.kerberos.kdc.KdcConfiguration;
@@ -28,12 +30,12 @@
import org.apache.directory.server.kerberos.sam.SamSubsystem;
import org.apache.directory.server.kerberos.sam.TimestampChecker;
import org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionType;
-import org.apache.directory.server.kerberos.shared.exceptions.ErrorType;
import org.apache.directory.server.kerberos.shared.exceptions.KerberosException;
import org.apache.directory.server.kerberos.shared.messages.KdcRequest;
import org.apache.directory.server.kerberos.shared.messages.value.EncryptionKey;
import org.apache.directory.server.kerberos.shared.messages.value.PreAuthenticationData;
-import org.apache.directory.server.kerberos.shared.messages.value.PreAuthenticationDataType;
+import org.apache.directory.server.kerberos.shared.messages.value.types.KerberosErrorType;
+import org.apache.directory.server.kerberos.shared.messages.value.types.PreAuthenticationDataType;
import org.apache.directory.server.kerberos.shared.store.PrincipalStoreEntry;
import org.apache.mina.common.IoSession;
import org.slf4j.Logger;
@@ -75,22 +77,22 @@
log.debug( "Entry for client principal {} has a valid SAM type. Invoking SAM subsystem for pre-authentication.", clientName );
}
- PreAuthenticationData[] preAuthData = request.getPreAuthData();
+ List<PreAuthenticationData> preAuthDatas = request.getPreAuthData();
- if ( preAuthData == null || preAuthData.length == 0 )
+ if ( ( preAuthDatas == null ) || ( preAuthDatas.size() == 0 ) )
{
- throw new KerberosException( ErrorType.KDC_ERR_PREAUTH_REQUIRED, preparePreAuthenticationError( config
+ throw new KerberosException( KerberosErrorType.KDC_ERR_PREAUTH_REQUIRED, preparePreAuthenticationError( config
.getEncryptionTypes() ) );
}
try
{
- for ( int ii = 0; ii < preAuthData.length; ii++ )
+ for ( PreAuthenticationData preAuthData:preAuthDatas )
{
- if ( preAuthData[ii].getDataType().equals( PreAuthenticationDataType.PA_ENC_TIMESTAMP ) )
+ if ( preAuthData.getDataType().equals( PreAuthenticationDataType.PA_ENC_TIMESTAMP ) )
{
KerberosKey samKey = SamSubsystem.getInstance().verify( clientEntry,
- preAuthData[ii].getDataValue() );
+ preAuthData.getDataValue() );
clientKey = new EncryptionKey( EncryptionType.getTypeByOrdinal( samKey.getKeyType() ), samKey
.getEncoded() );
}
@@ -98,7 +100,7 @@
}
catch ( SamException se )
{
- throw new KerberosException( ErrorType.KRB_ERR_GENERIC, se );
+ throw new KerberosException( KerberosErrorType.KRB_ERR_GENERIC, se );
}
authContext.setClientKey( clientKey );
Modified: directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/BuildReply.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/BuildReply.java?rev=578743&r1=578742&r2=578743&view=diff
==============================================================================
--- directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/BuildReply.java (original)
+++ directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/BuildReply.java Mon Sep 24 03:18:05 2007
@@ -24,7 +24,6 @@
import org.apache.directory.server.kerberos.shared.messages.TicketGrantReply;
import org.apache.directory.server.kerberos.shared.messages.components.Ticket;
import org.apache.directory.server.kerberos.shared.messages.value.LastRequest;
-import org.apache.directory.server.kerberos.shared.messages.value.TicketFlags;
import org.apache.mina.common.IoSession;
import org.apache.mina.handler.chain.IoHandlerCommand;
@@ -59,7 +58,7 @@
reply.setEndTime( newTicket.getEndTime() );
reply.setServerPrincipal( newTicket.getServerPrincipal() );
- if ( newTicket.getFlag( TicketFlags.RENEWABLE ) )
+ if ( newTicket.getFlags().isRenewable() )
{
reply.setRenewTill( newTicket.getRenewTill() );
}
Modified: directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/GenerateTicket.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/GenerateTicket.java?rev=578743&r1=578742&r2=578743&view=diff
==============================================================================
--- directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/GenerateTicket.java (original)
+++ directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/GenerateTicket.java Mon Sep 24 03:18:05 2007
@@ -20,6 +20,7 @@
package org.apache.directory.server.kerberos.kdc.ticketgrant;
+import java.text.ParseException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
@@ -31,19 +32,19 @@
import org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionType;
import org.apache.directory.server.kerberos.shared.crypto.encryption.KeyUsage;
import org.apache.directory.server.kerberos.shared.crypto.encryption.RandomKeyFactory;
-import org.apache.directory.server.kerberos.shared.exceptions.ErrorType;
import org.apache.directory.server.kerberos.shared.exceptions.KerberosException;
import org.apache.directory.server.kerberos.shared.messages.KdcRequest;
import org.apache.directory.server.kerberos.shared.messages.components.Authenticator;
import org.apache.directory.server.kerberos.shared.messages.components.EncTicketPart;
-import org.apache.directory.server.kerberos.shared.messages.components.EncTicketPartModifier;
import org.apache.directory.server.kerberos.shared.messages.components.Ticket;
import org.apache.directory.server.kerberos.shared.messages.value.AuthorizationData;
import org.apache.directory.server.kerberos.shared.messages.value.EncryptedData;
import org.apache.directory.server.kerberos.shared.messages.value.EncryptionKey;
-import org.apache.directory.server.kerberos.shared.messages.value.KdcOptions;
import org.apache.directory.server.kerberos.shared.messages.value.KerberosTime;
-import org.apache.directory.server.kerberos.shared.messages.value.TicketFlags;
+import org.apache.directory.server.kerberos.shared.messages.value.flags.KdcOption;
+import org.apache.directory.server.kerberos.shared.messages.value.flags.TicketFlag;
+import org.apache.directory.server.kerberos.shared.messages.value.flags.TicketFlags;
+import org.apache.directory.server.kerberos.shared.messages.value.types.KerberosErrorType;
import org.apache.mina.common.IoSession;
import org.apache.mina.handler.chain.IoHandlerCommand;
@@ -72,312 +73,197 @@
KdcConfiguration config = tgsContext.getConfig();
- EncTicketPartModifier newTicketBody = new EncTicketPartModifier();
+ EncTicketPart ticketPart = new EncTicketPart();
- newTicketBody.setClientAddresses( tgt.getClientAddresses() );
+ ticketPart.setClientAddresses( tgt.getClientAddresses() );
- processFlags( config, request, tgt, newTicketBody );
+ processFlags( config, request, tgt, ticketPart );
EncryptionKey sessionKey = RandomKeyFactory.getRandomKey( tgsContext.getEncryptionType() );
- newTicketBody.setSessionKey( sessionKey );
+ ticketPart.setSessionKey( sessionKey );
- newTicketBody.setClientPrincipal( tgt.getClientPrincipal() );
+ ticketPart.setClientPrincipal( tgt.getClientPrincipal() );
if ( request.getEncAuthorizationData() != null )
{
AuthorizationData authData = ( AuthorizationData ) cipherTextHandler.unseal( AuthorizationData.class,
authenticator.getSubSessionKey(), request.getEncAuthorizationData(), KeyUsage.NUMBER4 );
authData.add( tgt.getAuthorizationData() );
- newTicketBody.setAuthorizationData( authData );
+ ticketPart.setAuthorizationData( authData );
}
- processTransited( newTicketBody, tgt );
+ processTransited( ticketPart, tgt );
- processTimes( config, request, newTicketBody, tgt );
+ processTimes( config, request, ticketPart, tgt );
- EncTicketPart ticketPart = newTicketBody.getEncTicketPart();
-
- if ( request.getOption( KdcOptions.ENC_TKT_IN_SKEY ) )
+ if ( request.getOption( KdcOption.ENC_TKT_IN_SKEY ) )
{
/*
- * if (server not specified) then
- * server = req.second_ticket.client;
- * endif
- *
- * if ((req.second_ticket is not a TGT) or
- * (req.second_ticket.client != server)) then
- * error_out(KDC_ERR_POLICY);
- * endif
- *
- * new_tkt.enc-part := encrypt OCTET STRING using etype_for_key(second-ticket.key), second-ticket.key;
+ if (server not specified) then
+ server = req.second_ticket.client;
+ endif
+ if ((req.second_ticket is not a TGT) or
+ (req.second_ticket.client != server)) then
+ error_out(KDC_ERR_POLICY);
+ endif
+ new_tkt.enc-part := encrypt OCTET STRING
+ using etype_for_key(second-ticket.key), second-ticket.key;
*/
- throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
+ throw new KerberosException( KerberosErrorType.KDC_ERR_SVC_UNAVAILABLE );
}
- else
- {
- EncryptedData encryptedData = cipherTextHandler.seal( serverKey, ticketPart, KeyUsage.NUMBER2 );
- Ticket newTicket = new Ticket( ticketPrincipal, encryptedData );
- newTicket.setEncTicketPart( ticketPart );
+ EncryptedData encryptedData = cipherTextHandler.seal( serverKey, ticketPart, KeyUsage.NUMBER2 );
- tgsContext.setNewTicket( newTicket );
- }
+ Ticket newTicket = new Ticket( ticketPrincipal, encryptedData );
+ newTicket.setEncTicketPart( ticketPart );
+
+ tgsContext.setNewTicket( newTicket );
next.execute( session, message );
}
private void processFlags( KdcConfiguration config, KdcRequest request, Ticket tgt,
- EncTicketPartModifier newTicketBody ) throws KerberosException
+ EncTicketPart ticketPart ) throws KerberosException
{
- if ( tgt.getFlag( TicketFlags.PRE_AUTHENT ) )
+ TicketFlags tgtFlags = tgt.getFlags();
+
+ if ( tgtFlags.isFlagSet( TicketFlag.PRE_AUTHENT ) )
{
- newTicketBody.setFlag( TicketFlags.PRE_AUTHENT );
+ ticketPart.setFlag( TicketFlag.PRE_AUTHENT );
}
- if ( request.getOption( KdcOptions.FORWARDABLE ) )
+ if ( request.getOption( KdcOption.FORWARDABLE ) )
{
- if ( !config.isForwardableAllowed() )
- {
- throw new KerberosException( ErrorType.KDC_ERR_POLICY );
- }
-
- if ( !tgt.getFlag( TicketFlags.FORWARDABLE ) )
+ if ( !tgtFlags.isForwardable() )
{
- throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
+ throw new KerberosException( KerberosErrorType.KDC_ERR_BADOPTION );
}
- newTicketBody.setFlag( TicketFlags.FORWARDABLE );
+ ticketPart.setFlag( TicketFlag.FORWARDABLE );
}
- if ( request.getOption( KdcOptions.FORWARDED ) )
+ if ( request.getOption( KdcOption.FORWARDED ) )
{
- if ( !config.isForwardableAllowed() )
- {
- throw new KerberosException( ErrorType.KDC_ERR_POLICY );
- }
-
- if ( !tgt.getFlag( TicketFlags.FORWARDABLE ) )
- {
- throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
- }
-
- if ( request.getAddresses() != null && request.getAddresses().getAddresses() != null
- && request.getAddresses().getAddresses().length > 0 )
- {
- newTicketBody.setClientAddresses( request.getAddresses() );
- }
- else
+ if ( !tgtFlags.isForwardable() )
{
- if ( !config.isEmptyAddressesAllowed() )
- {
- throw new KerberosException( ErrorType.KDC_ERR_POLICY );
- }
+ throw new KerberosException( KerberosErrorType.KDC_ERR_BADOPTION );
}
-
- newTicketBody.setFlag( TicketFlags.FORWARDED );
+
+ ticketPart.setFlag( TicketFlag.FORWARDED );
+ ticketPart.setClientAddresses( request.getAddresses() );
}
- if ( tgt.getFlag( TicketFlags.FORWARDED ) )
+ if ( tgtFlags.isForwarded() )
{
- newTicketBody.setFlag( TicketFlags.FORWARDED );
+ ticketPart.setFlag( TicketFlag.FORWARDED );
}
- if ( request.getOption( KdcOptions.PROXIABLE ) )
+ if ( request.getOption( KdcOption.PROXIABLE ) )
{
- if ( !config.isProxiableAllowed() )
+ if ( !tgtFlags.isProxiable() )
{
- throw new KerberosException( ErrorType.KDC_ERR_POLICY );
+ throw new KerberosException( KerberosErrorType.KDC_ERR_BADOPTION );
}
- if ( !tgt.getFlag( TicketFlags.PROXIABLE ) )
- {
- throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
- }
-
- newTicketBody.setFlag( TicketFlags.PROXIABLE );
+ ticketPart.setFlag( TicketFlag.PROXIABLE );
}
- if ( request.getOption( KdcOptions.PROXY ) )
+ if ( request.getOption( KdcOption.PROXY ) )
{
- if ( !config.isProxiableAllowed() )
- {
- throw new KerberosException( ErrorType.KDC_ERR_POLICY );
- }
-
- if ( !tgt.getFlag( TicketFlags.PROXIABLE ) )
- {
- throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
- }
-
- if ( request.getAddresses() != null && request.getAddresses().getAddresses() != null
- && request.getAddresses().getAddresses().length > 0 )
+ if ( !tgtFlags.isProxiable() )
{
- newTicketBody.setClientAddresses( request.getAddresses() );
- }
- else
- {
- if ( !config.isEmptyAddressesAllowed() )
- {
- throw new KerberosException( ErrorType.KDC_ERR_POLICY );
- }
+ throw new KerberosException( KerberosErrorType.KDC_ERR_BADOPTION );
}
- newTicketBody.setFlag( TicketFlags.PROXY );
+ ticketPart.setFlag( TicketFlag.PROXY );
+ ticketPart.setClientAddresses( request.getAddresses() );
}
- if ( request.getOption( KdcOptions.ALLOW_POSTDATE ) )
+ if ( request.getOption( KdcOption.ALLOW_POSTDATE ) )
{
- if ( !config.isPostdatedAllowed() )
+ if ( !tgtFlags.isMayPosdate() )
{
- throw new KerberosException( ErrorType.KDC_ERR_POLICY );
+ throw new KerberosException( KerberosErrorType.KDC_ERR_BADOPTION );
}
- if ( !tgt.getFlag( TicketFlags.MAY_POSTDATE ) )
- {
- throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
- }
-
- newTicketBody.setFlag( TicketFlags.MAY_POSTDATE );
+ ticketPart.setFlag( TicketFlag.MAY_POSTDATE );
}
- /*
- * "Otherwise, if the TGT has the MAY-POSTDATE flag set, then the resulting
- * ticket will be postdated, and the requested starttime is checked against
- * the policy of the local realm. If acceptable, the ticket's starttime is
- * set as requested, and the INVALID flag is set. The postdated ticket MUST
- * be validated before use by presenting it to the KDC after the starttime
- * has been reached. However, in no case may the starttime, endtime, or
- * renew-till time of a newly-issued postdated ticket extend beyond the
- * renew-till time of the TGT."
- */
- if ( request.getOption( KdcOptions.POSTDATED ) )
+ if ( request.getOption( KdcOption.POSTDATED ) )
{
- if ( !config.isPostdatedAllowed() )
+ if ( !tgtFlags.isMayPosdate() )
{
- throw new KerberosException( ErrorType.KDC_ERR_POLICY );
+ throw new KerberosException( KerberosErrorType.KDC_ERR_BADOPTION );
}
- if ( !tgt.getFlag( TicketFlags.MAY_POSTDATE ) )
+ ticketPart.setFlag( TicketFlag.POSTDATED );
+ ticketPart.setFlag( TicketFlag.INVALID );
+
+ if ( !config.isPostdateAllowed() )
{
- throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
+ throw new KerberosException( KerberosErrorType.KDC_ERR_POLICY );
}
- newTicketBody.setFlag( TicketFlags.POSTDATED );
- newTicketBody.setFlag( TicketFlags.INVALID );
-
- newTicketBody.setStartTime( request.getFrom() );
+ ticketPart.setStartTime( request.getFrom() );
}
- if ( request.getOption( KdcOptions.VALIDATE ) )
+ if ( request.getOption( KdcOption.VALIDATE ) )
{
- if ( !config.isPostdatedAllowed() )
+ if ( !tgtFlags.isInvalid() )
{
- throw new KerberosException( ErrorType.KDC_ERR_POLICY );
+ throw new KerberosException( KerberosErrorType.KDC_ERR_POLICY );
}
- if ( !tgt.getFlag( TicketFlags.INVALID ) )
+ if ( tgt.getStartTime().greaterThan( new KerberosTime() ) )
{
- throw new KerberosException( ErrorType.KDC_ERR_POLICY );
+ throw new KerberosException( KerberosErrorType.KRB_AP_ERR_TKT_NYV );
}
- KerberosTime startTime = ( tgt.getStartTime() != null ) ? tgt.getStartTime() : tgt.getAuthTime();
-
- if ( startTime.greaterThan( new KerberosTime() ) )
- {
- throw new KerberosException( ErrorType.KRB_AP_ERR_TKT_NYV );
- }
-
- /*
- * if (check_hot_list(tgt)) then
- * error_out(KRB_AP_ERR_REPEAT);
- * endif
- */
-
- echoTicket( newTicketBody, tgt );
- newTicketBody.clearFlag( TicketFlags.INVALID );
+ echoTicket( ticketPart, tgt );
+ ticketPart.clearFlag( TicketFlag.INVALID );
}
- if ( request.getOption( KdcOptions.RESERVED ) )
+ if ( request.getOption( KdcOption.RESERVED ) || request.getOption( KdcOption.RENEWABLE_OK ) )
{
- throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
+ throw new KerberosException( KerberosErrorType.KDC_ERR_BADOPTION );
}
}
- private void processTimes( KdcConfiguration config, KdcRequest request, EncTicketPartModifier newTicketBody,
+ private void processTimes( KdcConfiguration config, KdcRequest request, EncTicketPart ticketPart,
Ticket tgt ) throws KerberosException
{
KerberosTime now = new KerberosTime();
- newTicketBody.setAuthTime( tgt.getAuthTime() );
-
- KerberosTime startTime = request.getFrom();
-
- /*
- * "If the requested starttime is absent, indicates a time in the past,
- * or is within the window of acceptable clock skew for the KDC and the
- * POSTDATE option has not been specified, then the starttime of the
- * ticket is set to the authentication server's current time."
- */
- if ( startTime == null || startTime.lessThan( now ) || startTime.isInClockSkew( config.getAllowableClockSkew() )
- && !request.getOption( KdcOptions.POSTDATED ) )
- {
- startTime = now;
- }
-
- /*
- * "If it indicates a time in the future beyond the acceptable clock skew,
- * but the POSTDATED option has not been specified or the MAY-POSTDATE flag
- * is not set in the TGT, then the error KDC_ERR_CANNOT_POSTDATE is
- * returned."
- */
- if ( startTime != null && startTime.greaterThan( now )
- && !startTime.isInClockSkew( config.getAllowableClockSkew() )
- && ( !request.getOption( KdcOptions.POSTDATED ) || !tgt.getFlag( TicketFlags.MAY_POSTDATE ) ) )
- {
- throw new KerberosException( ErrorType.KDC_ERR_CANNOT_POSTDATE );
- }
+ ticketPart.setAuthTime( tgt.getAuthTime() );
KerberosTime renewalTime = null;
- KerberosTime kerberosEndTime = null;
- if ( request.getOption( KdcOptions.RENEW ) )
+ if ( request.getOption( KdcOption.RENEW ) )
{
- if ( !config.isRenewableAllowed() )
- {
- throw new KerberosException( ErrorType.KDC_ERR_POLICY );
- }
-
- if ( !tgt.getFlag( TicketFlags.RENEWABLE ) )
+ if ( !tgt.getFlags().isRenewable() )
{
- throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
+ throw new KerberosException( KerberosErrorType.KDC_ERR_BADOPTION );
}
- if ( tgt.getRenewTill().lessThan( now ) )
+ if ( tgt.getRenewTill().greaterThan( now ) )
{
- throw new KerberosException( ErrorType.KRB_AP_ERR_TKT_EXPIRED );
+ throw new KerberosException( KerberosErrorType.KRB_AP_ERR_TKT_EXPIRED );
}
- echoTicket( newTicketBody, tgt );
+ echoTicket( ticketPart, tgt );
- newTicketBody.setStartTime( now );
-
- KerberosTime tgtStartTime = ( tgt.getStartTime() != null ) ? tgt.getStartTime() : tgt.getAuthTime();
-
- long oldLife = tgt.getEndTime().getTime() - tgtStartTime.getTime();
-
- kerberosEndTime = new KerberosTime( Math.min( tgt.getRenewTill().getTime(), now.getTime() + oldLife ) );
- newTicketBody.setEndTime( kerberosEndTime );
+ ticketPart.setStartTime( now );
+ long oldLife = tgt.getEndTime().getTime() - tgt.getStartTime().getTime();
+ ticketPart.setEndTime( new KerberosTime( Math
+ .min( tgt.getRenewTill().getTime(), now.getTime() + oldLife ) ) );
}
else
{
- if ( newTicketBody.getEncTicketPart().getStartTime() == null )
- {
- newTicketBody.setStartTime( now );
- }
-
+ ticketPart.setStartTime( now );
KerberosTime till;
+
if ( request.getTill().isZero() )
{
till = KerberosTime.INFINITY;
@@ -387,29 +273,19 @@
till = request.getTill();
}
- /*
- * The end time is the minimum of (a) the requested till time or (b)
- * the start time plus maximum lifetime as configured in policy or (c)
- * the end time of the TGT.
- */
+ // TODO - config; requires store
List<KerberosTime> minimizer = new ArrayList<KerberosTime>();
minimizer.add( till );
- minimizer.add( new KerberosTime( startTime.getTime() + config.getMaximumTicketLifetime() ) );
+ minimizer.add( new KerberosTime( now.getTime() + config.getMaximumTicketLifetime() ) );
minimizer.add( tgt.getEndTime() );
- kerberosEndTime = Collections.min( minimizer );
-
- newTicketBody.setEndTime( kerberosEndTime );
+ KerberosTime minTime = Collections.min( minimizer );
+ ticketPart.setEndTime( minTime );
- if ( request.getOption( KdcOptions.RENEWABLE_OK ) && kerberosEndTime.lessThan( request.getTill() )
- && tgt.getFlag( TicketFlags.RENEWABLE ) )
+ if ( request.getOption( KdcOption.RENEWABLE_OK ) && minTime.lessThan( request.getTill() )
+ && tgt.getFlags().isRenewable() )
{
- if ( !config.isRenewableAllowed() )
- {
- throw new KerberosException( ErrorType.KDC_ERR_POLICY );
- }
-
- // We set the RENEWABLE option for later processing.
- request.setOption( KdcOptions.RENEWABLE );
+ // we set the RENEWABLE option for later processing
+ request.setOption( KdcOption.RENEWABLE );
long rtime = Math.min( request.getTill().getTime(), tgt.getRenewTill().getTime() );
renewalTime = new KerberosTime( rtime );
}
@@ -417,7 +293,7 @@
if ( renewalTime == null )
{
- renewalTime = request.getRtime();
+ renewalTime = request.getRenewtime();
}
KerberosTime rtime;
@@ -430,20 +306,11 @@
rtime = renewalTime;
}
- if ( request.getOption( KdcOptions.RENEWABLE ) && tgt.getFlag( TicketFlags.RENEWABLE ) )
+ if ( request.getOption( KdcOption.RENEWABLE ) && ( tgt.getFlags().isRenewable() ) )
{
- if ( !config.isRenewableAllowed() )
- {
- throw new KerberosException( ErrorType.KDC_ERR_POLICY );
- }
-
- newTicketBody.setFlag( TicketFlags.RENEWABLE );
+ ticketPart.setFlag( TicketFlag.RENEWABLE );
- /*
- * The renew-till time is the minimum of (a) the requested renew-till
- * time or (b) the start time plus maximum renewable lifetime as
- * configured in policy or (c) the renew-till time of the TGT.
- */
+ // TODO - client and server configurable; requires store
List<KerberosTime> minimizer = new ArrayList<KerberosTime>();
/*
@@ -454,60 +321,40 @@
minimizer.add( rtime );
}
- minimizer.add( new KerberosTime( startTime.getTime() + config.getMaximumRenewableLifetime() ) );
+ minimizer.add( new KerberosTime( now.getTime() + config.getMaximumRenewableLifetime() ) );
minimizer.add( tgt.getRenewTill() );
- newTicketBody.setRenewTill( Collections.min( minimizer ) );
- }
-
- /*
- * "If the requested expiration time minus the starttime (as determined
- * above) is less than a site-determined minimum lifetime, an error
- * message with code KDC_ERR_NEVER_VALID is returned."
- */
- if ( kerberosEndTime.lessThan( startTime ) )
- {
- throw new KerberosException( ErrorType.KDC_ERR_NEVER_VALID );
- }
-
- long ticketLifeTime = Math.abs( startTime.getTime() - kerberosEndTime.getTime() );
- if ( ticketLifeTime < config.getAllowableClockSkew() )
- {
- throw new KerberosException( ErrorType.KDC_ERR_NEVER_VALID );
+ ticketPart.setRenewTill( Collections.min( minimizer ) );
}
}
- /*
- * if (realm_tgt_is_for(tgt) := tgt.realm) then
- * // tgt issued by local realm
- * new_tkt.transited := tgt.transited;
- * else
- * // was issued for this realm by some other realm
- * if (tgt.transited.tr-type not supported) then
- * error_out(KDC_ERR_TRTYPE_NOSUPP);
- * endif
- *
- * new_tkt.transited := compress_transited(tgt.transited + tgt.realm)
- * endif
- */
- private void processTransited( EncTicketPartModifier newTicketBody, Ticket tgt )
+ private void processTransited( EncTicketPart ticketPart, Ticket tgt )
{
// TODO - currently no transited support other than local
- newTicketBody.setTransitedEncoding( tgt.getTransitedEncoding() );
+ ticketPart.setTransitedEncoding( tgt.getTransitedEncoding() );
}
- protected void echoTicket( EncTicketPartModifier newTicketBody, Ticket tgt )
+ protected void echoTicket( EncTicketPart ticketPart, Ticket tgt )
{
- newTicketBody.setAuthorizationData( tgt.getAuthorizationData() );
- newTicketBody.setAuthTime( tgt.getAuthTime() );
- newTicketBody.setClientAddresses( tgt.getClientAddresses() );
- newTicketBody.setClientPrincipal( tgt.getClientPrincipal() );
- newTicketBody.setEndTime( tgt.getEndTime() );
- newTicketBody.setFlags( tgt.getFlags() );
- newTicketBody.setRenewTill( tgt.getRenewTill() );
- newTicketBody.setSessionKey( tgt.getSessionKey() );
- newTicketBody.setTransitedEncoding( tgt.getTransitedEncoding() );
+ ticketPart.setAuthorizationData( tgt.getAuthorizationData() );
+ ticketPart.setAuthTime( tgt.getAuthTime() );
+ ticketPart.setClientAddresses( tgt.getClientAddresses() );
+
+ try
+ {
+ ticketPart.setClientPrincipal( tgt.getClientPrincipal() );
+ }
+ catch ( ParseException pe )
+ {
+ // Do nothing
+ }
+
+ ticketPart.setEndTime( tgt.getEndTime() );
+ ticketPart.setFlags( tgt.getFlags() );
+ ticketPart.setRenewTill( tgt.getRenewTill() );
+ ticketPart.setSessionKey( tgt.getSessionKey() );
+ ticketPart.setTransitedEncoding( tgt.getTransitedEncoding() );
}
Modified: directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/GetAuthHeader.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/GetAuthHeader.java?rev=578743&r1=578742&r2=578743&view=diff
==============================================================================
--- directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/GetAuthHeader.java (original)
+++ directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/GetAuthHeader.java Mon Sep 24 03:18:05 2007
@@ -21,15 +21,16 @@
import java.io.IOException;
+import java.util.List;
-import org.apache.directory.server.kerberos.shared.exceptions.ErrorType;
import org.apache.directory.server.kerberos.shared.exceptions.KerberosException;
import org.apache.directory.server.kerberos.shared.io.decoder.ApplicationRequestDecoder;
-import org.apache.directory.server.kerberos.shared.messages.ApplicationRequest;
import org.apache.directory.server.kerberos.shared.messages.KdcRequest;
+import org.apache.directory.server.kerberos.shared.messages.application.ApplicationRequest;
import org.apache.directory.server.kerberos.shared.messages.components.Ticket;
import org.apache.directory.server.kerberos.shared.messages.value.PreAuthenticationData;
-import org.apache.directory.server.kerberos.shared.messages.value.PreAuthenticationDataType;
+import org.apache.directory.server.kerberos.shared.messages.value.types.KerberosErrorType;
+import org.apache.directory.server.kerberos.shared.messages.value.types.PreAuthenticationDataType;
import org.apache.mina.common.IoSession;
import org.apache.mina.handler.chain.IoHandlerCommand;
@@ -37,10 +38,6 @@
/**
* Differs from the changepw getAuthHeader by verifying the presence of TGS_REQ.
*
- * Note that reading the application request requires first determining the server
- * for which a ticket was issued, and choosing the correct key for decryption. The
- * name of the server appears in the plaintext part of the ticket.
- *
* @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
* @version $Rev$, $Date$
*/
@@ -66,26 +63,20 @@
protected ApplicationRequest getAuthHeader( KdcRequest request ) throws KerberosException, IOException
{
- PreAuthenticationData[] preAuthData = request.getPreAuthData();
-
- if ( preAuthData == null || preAuthData.length < 1 )
- {
- throw new KerberosException( ErrorType.KDC_ERR_PADATA_TYPE_NOSUPP );
- }
-
byte[] undecodedAuthHeader = null;
+ List<PreAuthenticationData> preAuthData = request.getPreAuthData();
- for ( int ii = 0; ii < preAuthData.length; ii++ )
+ for ( PreAuthenticationData paData:preAuthData )
{
- if ( preAuthData[ii].getDataType() == PreAuthenticationDataType.PA_TGS_REQ )
+ if ( paData.getDataType() == PreAuthenticationDataType.PA_TGS_REQ )
{
- undecodedAuthHeader = preAuthData[ii].getDataValue();
+ undecodedAuthHeader = paData.getDataValue();
}
}
if ( undecodedAuthHeader == null )
{
- throw new KerberosException( ErrorType.KDC_ERR_PADATA_TYPE_NOSUPP );
+ throw new KerberosException( KerberosErrorType.KDC_ERR_PADATA_TYPE_NOSUPP );
}
ApplicationRequestDecoder decoder = new ApplicationRequestDecoder();
Modified: directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/GetRequestPrincipalEntry.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/GetRequestPrincipalEntry.java?rev=578743&r1=578742&r2=578743&view=diff
==============================================================================
--- directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/GetRequestPrincipalEntry.java (original)
+++ directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/GetRequestPrincipalEntry.java Mon Sep 24 03:18:05 2007
@@ -20,9 +20,8 @@
package org.apache.directory.server.kerberos.kdc.ticketgrant;
-import javax.security.auth.kerberos.KerberosPrincipal;
-
-import org.apache.directory.server.kerberos.shared.exceptions.ErrorType;
+import org.apache.directory.server.kerberos.shared.messages.value.PrincipalName;
+import org.apache.directory.server.kerberos.shared.messages.value.types.KerberosErrorType;
import org.apache.directory.server.kerberos.shared.service.GetPrincipalStoreEntry;
import org.apache.directory.server.kerberos.shared.store.PrincipalStore;
import org.apache.directory.server.kerberos.shared.store.PrincipalStoreEntry;
@@ -39,10 +38,10 @@
{
TicketGrantingContext tgsContext = ( TicketGrantingContext ) session.getAttribute( getContextKey() );
- KerberosPrincipal principal = tgsContext.getRequest().getServerPrincipal();
+ PrincipalName principal = tgsContext.getRequest().getServerPrincipalName();
PrincipalStore store = tgsContext.getStore();
- PrincipalStoreEntry entry = getEntry( principal, store, ErrorType.KDC_ERR_S_PRINCIPAL_UNKNOWN );
+ PrincipalStoreEntry entry = getEntry( principal, store, KerberosErrorType.KDC_ERR_S_PRINCIPAL_UNKNOWN );
tgsContext.setRequestPrincipalEntry( entry );
next.execute( session, message );
Modified: directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/GetTicketPrincipalEntry.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/GetTicketPrincipalEntry.java?rev=578743&r1=578742&r2=578743&view=diff
==============================================================================
--- directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/GetTicketPrincipalEntry.java (original)
+++ directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/GetTicketPrincipalEntry.java Mon Sep 24 03:18:05 2007
@@ -20,9 +20,8 @@
package org.apache.directory.server.kerberos.kdc.ticketgrant;
-import javax.security.auth.kerberos.KerberosPrincipal;
-
-import org.apache.directory.server.kerberos.shared.exceptions.ErrorType;
+import org.apache.directory.server.kerberos.shared.messages.value.PrincipalName;
+import org.apache.directory.server.kerberos.shared.messages.value.types.KerberosErrorType;
import org.apache.directory.server.kerberos.shared.service.GetPrincipalStoreEntry;
import org.apache.directory.server.kerberos.shared.store.PrincipalStore;
import org.apache.directory.server.kerberos.shared.store.PrincipalStoreEntry;
@@ -39,10 +38,10 @@
{
TicketGrantingContext tgsContext = ( TicketGrantingContext ) session.getAttribute( getContextKey() );
- KerberosPrincipal principal = tgsContext.getTgt().getServerPrincipal();
+ PrincipalName principal = tgsContext.getTgt().getServerPrincipalName();
PrincipalStore store = tgsContext.getStore();
- PrincipalStoreEntry entry = getEntry( principal, store, ErrorType.KDC_ERR_S_PRINCIPAL_UNKNOWN );
+ PrincipalStoreEntry entry = getEntry( principal, store, KerberosErrorType.KDC_ERR_S_PRINCIPAL_UNKNOWN );
tgsContext.setTicketPrincipalEntry( entry );
next.execute( session, message );
Modified: directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/MonitorContext.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/MonitorContext.java?rev=578743&r1=578742&r2=578743&view=diff
==============================================================================
--- directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/MonitorContext.java (original)
+++ directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/MonitorContext.java Mon Sep 24 03:18:05 2007
@@ -26,9 +26,12 @@
import org.apache.directory.server.kerberos.shared.crypto.checksum.ChecksumType;
import org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionType;
+import org.apache.directory.server.kerberos.shared.messages.application.ApplicationRequest;
import org.apache.directory.server.kerberos.shared.messages.components.Ticket;
import org.apache.directory.server.kerberos.shared.messages.value.HostAddress;
import org.apache.directory.server.kerberos.shared.messages.value.HostAddresses;
+import org.apache.directory.server.kerberos.shared.replay.ReplayCache;
+import org.apache.directory.server.kerberos.shared.store.PrincipalStore;
import org.apache.directory.server.kerberos.shared.store.PrincipalStoreEntry;
import org.apache.mina.common.IoSession;
import org.apache.mina.handler.chain.IoHandlerCommand;
@@ -45,22 +48,9 @@
/** the log for this class */
private static final Logger log = LoggerFactory.getLogger( MonitorContext.class );
- private String serviceName;
-
private String contextKey = "context";
- /**
- * Creates a new instance of MonitorContext.
- *
- * @param serviceName
- */
- public MonitorContext( String serviceName )
- {
- this.serviceName = serviceName;
- }
-
-
public void execute( NextCommand next, IoSession session, Object message ) throws Exception
{
if ( log.isDebugEnabled() )
@@ -69,8 +59,11 @@
{
TicketGrantingContext tgsContext = ( TicketGrantingContext ) session.getAttribute( getContextKey() );
+ PrincipalStore store = tgsContext.getStore();
+ ApplicationRequest authHeader = tgsContext.getAuthHeader();
Ticket tgt = tgsContext.getTgt();
long clockSkew = tgsContext.getConfig().getAllowableClockSkew();
+ ReplayCache replayCache = tgsContext.getReplayCache();
ChecksumType checksumType = tgsContext.getAuthenticator().getChecksum().getChecksumType();
InetAddress clientAddress = tgsContext.getClientAddress();
HostAddresses clientAddresses = tgt.getClientAddresses();
@@ -83,8 +76,10 @@
StringBuffer sb = new StringBuffer();
- sb.append( "Monitoring " + serviceName + " context:" );
-
+ sb.append( "\n\t" + "store " + store );
+ sb.append( "\n\t" + "authHeader " + authHeader );
+ sb.append( "\n\t" + "tgt " + tgt );
+ sb.append( "\n\t" + "replayCache " + replayCache );
sb.append( "\n\t" + "clockSkew " + clockSkew );
sb.append( "\n\t" + "checksumType " + checksumType );
sb.append( "\n\t" + "clientAddress " + clientAddress );
Modified: directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/TicketGrantingContext.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/TicketGrantingContext.java?rev=578743&r1=578742&r2=578743&view=diff
==============================================================================
--- directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/TicketGrantingContext.java (original)
+++ directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/TicketGrantingContext.java Mon Sep 24 03:18:05 2007
@@ -21,7 +21,7 @@
import org.apache.directory.server.kerberos.kdc.KdcContext;
-import org.apache.directory.server.kerberos.shared.messages.ApplicationRequest;
+import org.apache.directory.server.kerberos.shared.messages.application.ApplicationRequest;
import org.apache.directory.server.kerberos.shared.messages.components.Authenticator;
import org.apache.directory.server.kerberos.shared.messages.components.Ticket;
import org.apache.directory.server.kerberos.shared.replay.ReplayCache;
Modified: directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/VerifyBodyChecksum.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/VerifyBodyChecksum.java?rev=578743&r1=578742&r2=578743&view=diff
==============================================================================
--- directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/VerifyBodyChecksum.java (original)
+++ directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/VerifyBodyChecksum.java Mon Sep 24 03:18:05 2007
@@ -20,12 +20,11 @@
package org.apache.directory.server.kerberos.kdc.ticketgrant;
-import org.apache.directory.server.kerberos.kdc.KdcConfiguration;
import org.apache.directory.server.kerberos.shared.crypto.checksum.ChecksumHandler;
import org.apache.directory.server.kerberos.shared.crypto.encryption.KeyUsage;
-import org.apache.directory.server.kerberos.shared.exceptions.ErrorType;
import org.apache.directory.server.kerberos.shared.exceptions.KerberosException;
import org.apache.directory.server.kerberos.shared.messages.value.Checksum;
+import org.apache.directory.server.kerberos.shared.messages.value.types.KerberosErrorType;
import org.apache.mina.common.IoSession;
import org.apache.mina.handler.chain.IoHandlerCommand;
import org.slf4j.Logger;
@@ -48,23 +47,18 @@
public void execute( NextCommand next, IoSession session, Object message ) throws Exception
{
TicketGrantingContext tgsContext = ( TicketGrantingContext ) session.getAttribute( getContextKey() );
- KdcConfiguration config = tgsContext.getConfig();
+ byte[] bodyBytes = tgsContext.getRequest().getBodyBytes();
+ Checksum authenticatorChecksum = tgsContext.getAuthenticator().getChecksum();
- if ( config.isBodyChecksumVerified() )
+ if ( authenticatorChecksum == null || authenticatorChecksum.getChecksumType() == null
+ || authenticatorChecksum.getChecksumValue() == null )
{
- byte[] bodyBytes = tgsContext.getRequest().getBodyBytes();
- Checksum authenticatorChecksum = tgsContext.getAuthenticator().getChecksum();
-
- if ( authenticatorChecksum == null || authenticatorChecksum.getChecksumType() == null
- || authenticatorChecksum.getChecksumValue() == null || bodyBytes == null )
- {
- throw new KerberosException( ErrorType.KRB_AP_ERR_INAPP_CKSUM );
- }
+ throw new KerberosException( KerberosErrorType.KRB_AP_ERR_INAPP_CKSUM );
+ }
- log.debug( "Verifying body checksum type '{}'.", authenticatorChecksum.getChecksumType() );
+ log.debug( "Verifying body checksum type '{}'.", authenticatorChecksum.getChecksumType() );
- checksumHandler.verifyChecksum( authenticatorChecksum, bodyBytes, null, KeyUsage.NUMBER8 );
- }
+ checksumHandler.verifyChecksum( authenticatorChecksum, bodyBytes, null, KeyUsage.NUMBER8 );
next.execute( session, message );
}
Modified: directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/VerifyTgtAuthHeader.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/VerifyTgtAuthHeader.java?rev=578743&r1=578742&r2=578743&view=diff
==============================================================================
--- directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/VerifyTgtAuthHeader.java (original)
+++ directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/VerifyTgtAuthHeader.java Mon Sep 24 03:18:05 2007
@@ -20,50 +20,52 @@
package org.apache.directory.server.kerberos.kdc.ticketgrant;
-import java.net.InetAddress;
-
-import org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler;
-import org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionType;
+import org.apache.directory.server.kerberos.shared.crypto.checksum.ChecksumHandler;
import org.apache.directory.server.kerberos.shared.crypto.encryption.KeyUsage;
-import org.apache.directory.server.kerberos.shared.messages.ApplicationRequest;
-import org.apache.directory.server.kerberos.shared.messages.components.Authenticator;
-import org.apache.directory.server.kerberos.shared.messages.components.Ticket;
-import org.apache.directory.server.kerberos.shared.messages.value.EncryptionKey;
-import org.apache.directory.server.kerberos.shared.messages.value.KdcOptions;
-import org.apache.directory.server.kerberos.shared.replay.ReplayCache;
-import org.apache.directory.server.kerberos.shared.service.VerifyAuthHeader;
+import org.apache.directory.server.kerberos.shared.exceptions.KerberosException;
+import org.apache.directory.server.kerberos.shared.messages.value.Checksum;
+import org.apache.directory.server.kerberos.shared.messages.value.types.KerberosErrorType;
import org.apache.mina.common.IoSession;
+import org.apache.mina.handler.chain.IoHandlerCommand;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
/**
* @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
* @version $Rev$, $Date$
*/
-public class VerifyTgtAuthHeader extends VerifyAuthHeader
+public class VerifyBodyChecksum implements IoHandlerCommand
{
+ /** the log for this class */
+ private static final Logger log = LoggerFactory.getLogger( VerifyBodyChecksum.class );
+
+ private ChecksumHandler checksumHandler = new ChecksumHandler();
+ private String contextKey = "context";
+
+
public void execute( NextCommand next, IoSession session, Object message ) throws Exception
{
TicketGrantingContext tgsContext = ( TicketGrantingContext ) session.getAttribute( getContextKey() );
+ byte[] bodyBytes = tgsContext.getRequest().getBodyBytes();
+ Checksum authenticatorChecksum = tgsContext.getAuthenticator().getChecksum();
- ApplicationRequest authHeader = tgsContext.getAuthHeader();
- Ticket tgt = tgsContext.getTgt();
-
- boolean isValidate = tgsContext.getRequest().getKdcOptions().get( KdcOptions.VALIDATE );
-
- EncryptionType encryptionType = tgt.getEncPart().getEncryptionType();
- EncryptionKey serverKey = tgsContext.getTicketPrincipalEntry().getKeyMap().get( encryptionType );
-
- long clockSkew = tgsContext.getConfig().getAllowableClockSkew();
- ReplayCache replayCache = tgsContext.getReplayCache();
- boolean emptyAddressesAllowed = tgsContext.getConfig().isEmptyAddressesAllowed();
- InetAddress clientAddress = tgsContext.getClientAddress();
- CipherTextHandler cipherTextHandler = tgsContext.getCipherTextHandler();
+ if ( authenticatorChecksum == null || authenticatorChecksum.getChecksumType() == null
+ || authenticatorChecksum.getChecksumValue() == null )
+ {
+ throw new KerberosException( KerberosErrorType.KRB_AP_ERR_INAPP_CKSUM );
+ }
- Authenticator authenticator = verifyAuthHeader( authHeader, tgt, serverKey, clockSkew, replayCache,
- emptyAddressesAllowed, clientAddress, cipherTextHandler, KeyUsage.NUMBER7, isValidate );
+ log.debug( "Verifying body checksum type '{}'.", authenticatorChecksum.getChecksumType() );
- tgsContext.setAuthenticator( authenticator );
+ checksumHandler.verifyChecksum( authenticatorChecksum, bodyBytes, null, KeyUsage.NUMBER8 );
next.execute( session, message );
+ }
+
+
+ private String getContextKey()
+ {
+ return ( this.contextKey );
}
}
Modified: directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/protocol/KerberosProtocolHandler.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/protocol/KerberosProtocolHandler.java?rev=578743&r1=578742&r2=578743&view=diff
==============================================================================
--- directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/protocol/KerberosProtocolHandler.java (original)
+++ directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/protocol/KerberosProtocolHandler.java Mon Sep 24 03:18:05 2007
@@ -30,12 +30,11 @@
import org.apache.directory.server.kerberos.kdc.authentication.AuthenticationServiceChain;
import org.apache.directory.server.kerberos.kdc.ticketgrant.TicketGrantingContext;
import org.apache.directory.server.kerberos.kdc.ticketgrant.TicketGrantingServiceChain;
-import org.apache.directory.server.kerberos.shared.exceptions.ErrorType;
import org.apache.directory.server.kerberos.shared.exceptions.KerberosException;
-import org.apache.directory.server.kerberos.shared.messages.ErrorMessage;
-import org.apache.directory.server.kerberos.shared.messages.ErrorMessageModifier;
+import org.apache.directory.server.kerberos.shared.messages.KerberosError;
import org.apache.directory.server.kerberos.shared.messages.KdcRequest;
import org.apache.directory.server.kerberos.shared.messages.value.KerberosTime;
+import org.apache.directory.server.kerberos.shared.messages.value.types.KerberosErrorType;
import org.apache.directory.server.kerberos.shared.store.PrincipalStore;
import org.apache.mina.common.IdleStatus;
import org.apache.mina.common.IoHandler;
@@ -179,40 +178,31 @@
case 11:
case 13:
- throw new KerberosException( ErrorType.KRB_AP_ERR_BADDIRECTION );
+ throw new KerberosException( KerberosErrorType.KRB_AP_ERR_BADDIRECTION );
default:
- throw new KerberosException( ErrorType.KRB_AP_ERR_MSG_TYPE );
+ throw new KerberosException( KerberosErrorType.KRB_AP_ERR_MSG_TYPE );
}
}
catch ( KerberosException ke )
{
- String messageText = ke.getMessage() + " (" + ke.getErrorCode() + ")";
-
if ( log.isDebugEnabled() )
{
- log.warn( messageText, ke );
+ log.warn( ke.getMessage(), ke );
}
else
{
- log.warn( messageText );
+ log.warn( ke.getMessage() );
}
- ErrorMessage error = getErrorMessage( config.getServicePrincipal(), ke );
-
- if ( log.isDebugEnabled() )
- {
- logErrorMessage( error );
- }
-
- session.write( error );
+ session.write( getErrorMessage( config.getServicePrincipal(), ke ) );
}
catch ( Exception e )
{
log.error( "Unexpected exception: " + e.getMessage(), e );
session.write( getErrorMessage( config.getServicePrincipal(), new KerberosException(
- ErrorType.KDC_ERR_SVC_UNAVAILABLE ) ) );
+ KerberosErrorType.KDC_ERR_SVC_UNAVAILABLE ) ) );
}
}
@@ -226,44 +216,20 @@
}
- protected ErrorMessage getErrorMessage( KerberosPrincipal principal, KerberosException exception )
+ protected KerberosError getErrorMessage( KerberosPrincipal principal, KerberosException exception )
{
- ErrorMessageModifier modifier = new ErrorMessageModifier();
+ KerberosError kerberosError = new KerberosError();
KerberosTime now = new KerberosTime();
- modifier.setErrorCode( exception.getErrorCode() );
- modifier.setExplanatoryText( exception.getMessage() );
- modifier.setServerPrincipal( principal );
- modifier.setServerTime( now );
- modifier.setServerMicroSecond( 0 );
- modifier.setExplanatoryData( exception.getExplanatoryData() );
-
- return modifier.getErrorMessage();
- }
-
+ kerberosError.setErrorCode( KerberosErrorType.getTypeByOrdinal( exception.getErrorCode() ) );
+ kerberosError.setExplanatoryText( exception.getMessage() );
+ kerberosError.setServerPrincipal( principal );
+ kerberosError.setServerTime( now );
+ kerberosError.setServerMicroseconds( 0 );
+ kerberosError.setExplanatoryData( exception.getExplanatoryData() );
- protected void logErrorMessage( ErrorMessage error )
- {
- try
- {
- StringBuffer sb = new StringBuffer();
-
- sb.append( "Responding to request with error:" );
- sb.append( "\n\t" + "explanatory text: " + error.getExplanatoryText() );
- sb.append( "\n\t" + "error code: " + error.getErrorCode() );
- sb.append( "\n\t" + "clientPrincipal: " + error.getClientPrincipal() );
- sb.append( "\n\t" + "client time: " + error.getServerTime() );
- sb.append( "\n\t" + "serverPrincipal: " + error.getServerPrincipal() );
- sb.append( "\n\t" + "server time: " + error.getClientTime() );
-
- log.debug( sb.toString() );
- }
- catch ( Exception e )
- {
- // This is a monitor. No exceptions should bubble up.
- log.error( "Error in reply monitor", e );
- }
+ return kerberosError;
}