You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by co...@apache.org on 2017/07/21 11:27:17 UTC
[30/50] [abbrv] directory-kerby git commit: Refactoring the package
and structure
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8432c1a8/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssTokenV1.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssTokenV1.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssTokenV1.java
new file mode 100644
index 0000000..1f063c3
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssTokenV1.java
@@ -0,0 +1,319 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gss.impl;
+
+
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.MessageProp;
+import sun.security.jgss.GSSHeader;
+import sun.security.util.ObjectIdentifier;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.security.MessageDigest;
+
+/**
+ * This class implements the token formats defined in RFC 1964 and its updates
+ *
+ * The GSS Wrap token has the following format:
+ *
+ * Byte no Name Description
+ * 0..1 TOK_ID 0201
+ *
+ * 2..3 SGN_ALG Checksum algorithm indicator.
+ * 00 00 DES MAC MD5
+ * 01 00 MD2.5
+ * 02 00 DES MAC
+ * 04 00 HMAC SHA1 DES3-KD
+ * 11 00 RC4-HMAC used by Microsoft Windows, RFC 4757
+ * 4..5 SEAL_ALG ff ff none
+ * 00 00 DES
+ * 02 00 DES3-KD
+ * 10 00 RC4-HMAC
+ * 6..7 Filler FF FF
+ * 8..15 SND_SEQ Encrypted sequence number field.
+ * 16..23 SNG_CKSUM Checksum of plaintext padded data,
+ * calculated according to algorithm
+ * specified in SGN_ALG field.
+ * 24.. Data Encrypted or plaintext padded data
+ *
+ *
+ *
+ * Use of the GSS MIC token has the following format:
+
+ * Byte no Name Description
+ * 0..1 TOK_ID 0101
+ * 2..3 SGN_ALG Integrity algorithm indicator.
+ * 4..7 Filler Contains ff ff ff ff
+ * 8..15 SND_SEQ Sequence number field.
+ * 16..23 SGN_CKSUM Checksum of "to-be-signed data",
+ * calculated according to algorithm
+ * specified in SGN_ALG field.
+ *
+ */
+abstract class GssTokenV1 extends GssTokenBase {
+ // SGN ALG
+ public static final int SGN_ALG_DES_MAC_MD5 = 0;
+ public static final int SGN_ALG_MD25 = 0x0100;
+ public static final int SGN_ALG_DES_MAC = 0x0200;
+ public static final int SGN_ALG_HMAC_SHA1_DES3_KD = 0x0400;
+ public static final int SGN_ALG_RC4_HMAC = 0x1100;
+
+ // SEAL ALG
+ public static final int SEAL_ALG_NONE = 0xFFFF;
+ public static final int SEAL_ALG_DES = 0x0; // "DES/CBC/NoPadding"
+ public static final int SEAL_ALG_DES3_KD = 0x0200;
+ public static final int SEAL_ALG_RC4_HMAC = 0x1000;
+
+ public static final int KG_USAGE_SEAL = 22;
+ public static final int KG_USAGE_SIGN = 23;
+ public static final int KG_USAGE_SEQ = 24;
+ public static final int KG_USAGE_MS_SIGN = 15;
+
+ private boolean isInitiator;
+ private boolean confState;
+ private int sequenceNumber;
+
+ protected GssEncryptor encryptor;
+
+ private GSSHeader gssHeader;
+
+ public static final int TOKEN_HEADER_COMM_SIZE = 8;
+ public static final int TOKEN_HEADER_SEQ_SIZE = 8;
+
+ // Token commHeader data
+ private int tokenType;
+ private byte[] commHeader = new byte[TOKEN_HEADER_COMM_SIZE];
+ private int sgnAlg;
+ private int sealAlg;
+
+ private byte[] plainSequenceBytes;
+ private byte[] encryptedSequenceNumber = new byte[TOKEN_HEADER_SEQ_SIZE];
+ private byte[] checkSum;
+ private int checkSumSize;
+
+ protected int reconHeaderLen; // only used for certain reason
+
+ public static ObjectIdentifier objId;
+
+ static {
+ try {
+ objId = new ObjectIdentifier("1.2.840.113554.1.2.2");
+ } catch (IOException ioe) { // NOPMD
+ }
+ }
+
+ protected int getTokenHeaderSize() {
+ return TOKEN_HEADER_COMM_SIZE + TOKEN_HEADER_SEQ_SIZE + checkSumSize;
+ }
+
+ protected byte[] getPlainSequenceBytes() {
+ byte[] ret = new byte[4];
+ ret[0] = plainSequenceBytes[0];
+ ret[1] = plainSequenceBytes[1];
+ ret[2] = plainSequenceBytes[2];
+ ret[3] = plainSequenceBytes[3];
+ return ret;
+ }
+
+ // Generate a new token
+ GssTokenV1(int tokenType, GssContext context) throws GSSException {
+ initialize(tokenType, context, false);
+ createTokenHeader();
+ }
+
+ // Reconstruct a token
+ GssTokenV1(int tokenType, GssContext context, MessageProp prop,
+ byte[] token, int offset, int size) throws GSSException {
+ int proxLen = size > 64 ? 64 : size;
+ InputStream is = new ByteArrayInputStream(token, offset, proxLen);
+ reconstructInitializaion(tokenType, context, prop, is);
+ reconHeaderLen = gssHeader.getLength() + getTokenHeaderSize();
+ }
+
+ // Reconstruct a token
+ GssTokenV1(int tokenType, GssContext context, MessageProp prop, InputStream is) throws GSSException {
+ reconstructInitializaion(tokenType, context, prop, is);
+ }
+
+ private void reconstructInitializaion(int tokenType, GssContext context, MessageProp prop, InputStream is)
+ throws GSSException {
+ initialize(tokenType, context, true);
+ if (!confState) {
+ prop.setPrivacy(false);
+ }
+
+ try {
+ gssHeader = new GSSHeader(is);
+ } catch (IOException e) {
+ throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid token:" + e.getMessage());
+ }
+
+ if (!gssHeader.getOid().equals((Object) objId)) {
+ throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid token OID");
+ }
+
+ reconstructTokenHeader(is, prop);
+ }
+
+ private void initialize(int tokenType,
+ GssContext context,
+ boolean reconstruct) throws GSSException {
+ this.tokenType = tokenType;
+ this.isInitiator = context.isInitiator();
+ this.confState = context.getConfState();
+ this.encryptor = context.getGssEncryptor();
+ this.checkSumSize = encryptor.getCheckSumSize();
+ if (!reconstruct) {
+ this.sequenceNumber = context.incMySequenceNumber();
+ } else {
+ checkSum = new byte[checkSumSize];
+ }
+ }
+
+ protected void calcPrivacyInfo(MessageProp prop, byte[] confounder, byte[] data,
+ int dataOffset, int dataLength, int paddingLen) throws GSSException {
+ prop.setQOP(0);
+ if (!confState) {
+ prop.setPrivacy(false);
+ }
+
+ checkSum = calcCheckSum(confounder, commHeader, data, dataOffset, dataLength, paddingLen);
+ encryptSequenceNumber();
+ }
+
+ protected void verifyToken(byte[] confounder, byte[] data, int dataOffset, int dataLength, int paddingLen)
+ throws GSSException {
+ byte[] sum = calcCheckSum(confounder, commHeader, data, dataOffset, dataLength, paddingLen);
+ if (!MessageDigest.isEqual(checkSum, sum)) {
+ throw new GSSException(GSSException.BAD_MIC, -1,
+ "Corrupt token checksum for " + (tokenType == TOKEN_MIC_V1 ? "Mic" : "Wrap") + "TokenV1");
+ }
+ }
+
+ private byte[] calcCheckSum(byte[] confounder, byte[] header, byte[] data,
+ int dataOffset, int dataLength, int paddingLen) throws GSSException {
+ return encryptor.calculateCheckSum(confounder, header, data, dataOffset, dataLength, paddingLen,
+ tokenType == TOKEN_MIC_V1);
+ }
+
+ private void encryptSequenceNumber() throws GSSException {
+ plainSequenceBytes = new byte[8];
+ if (encryptor.isArcFourHmac()) {
+ writeBigEndian(plainSequenceBytes, 0, sequenceNumber);
+ } else {
+ plainSequenceBytes[0] = (byte) sequenceNumber;
+ plainSequenceBytes[1] = (byte) (sequenceNumber >>> 8);
+ plainSequenceBytes[2] = (byte) (sequenceNumber >>> 16);
+ plainSequenceBytes[3] = (byte) (sequenceNumber >>> 24);
+ }
+
+ // Hex 0 - sender is the context initiator, Hex FF - sender is the context acceptor
+ if (!isInitiator) {
+ plainSequenceBytes[4] = (byte) 0xFF;
+ plainSequenceBytes[5] = (byte) 0xFF;
+ plainSequenceBytes[6] = (byte) 0xFF;
+ plainSequenceBytes[7] = (byte) 0xFF;
+ }
+
+ encryptedSequenceNumber = encryptor.encryptSequenceNumber(plainSequenceBytes, checkSum, true);
+ }
+
+ public void encodeHeader(OutputStream os) throws GSSException, IOException {
+ // | GSSHeader | TokenHeader |
+ GSSHeader gssHeader = new GSSHeader(objId, getTokenSizeWithoutGssHeader());
+ gssHeader.encode(os);
+ os.write(commHeader);
+ os.write(encryptedSequenceNumber);
+ os.write(checkSum);
+ }
+
+ private void createTokenHeader() {
+ commHeader[0] = (byte) (tokenType >>> 8);
+ commHeader[1] = (byte) tokenType;
+
+ sgnAlg = encryptor.getSgnAlg();
+ commHeader[2] = (byte) (sgnAlg >>> 8);
+ commHeader[3] = (byte) sgnAlg;
+
+ if (tokenType == TOKEN_WRAP_V1) {
+ sealAlg = encryptor.getSealAlg();
+ commHeader[4] = (byte) (sealAlg >>> 8);
+ commHeader[5] = (byte) sealAlg;
+ } else {
+ commHeader[4] = (byte) 0xFF;
+ commHeader[5] = (byte) 0xFF;
+ }
+
+ commHeader[6] = (byte) 0xFF;
+ commHeader[7] = (byte) 0xFF;
+ }
+
+ // Re-construct token commHeader
+ private void reconstructTokenHeader(InputStream is, MessageProp prop) throws GSSException {
+ try {
+ if (is.read(commHeader) != commHeader.length
+ || is.read(encryptedSequenceNumber) != encryptedSequenceNumber.length
+ || is.read(checkSum) != checkSum.length) {
+ throw new GSSException(GSSException.FAILURE, -1,
+ "Insufficient in reconstruct token header");
+ }
+ initTokenHeader(commHeader, prop);
+
+ plainSequenceBytes = encryptor.encryptSequenceNumber(encryptedSequenceNumber, checkSum, false);
+ byte dirc = isInitiator ? (byte) 0xFF : 0;
+ // Hex 0 - sender is the context initiator, Hex FF - sender is the context acceptor
+ if (!(plainSequenceBytes[4] == dirc && plainSequenceBytes[5] == dirc
+ && plainSequenceBytes[6] == dirc && plainSequenceBytes[7] == dirc)) {
+ throw new GSSException(GSSException.BAD_MIC, -1,
+ "Corrupt token sequence for " + (tokenType == TOKEN_MIC_V1 ? "Mic" : "Wrap") + "TokenV1");
+ }
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1,
+ "Error in reconstruct token header:" + e.getMessage());
+ }
+ }
+
+ private void initTokenHeader(byte[] tokenBytes, MessageProp prop) throws GSSException {
+ int tokenIDRecv = (((int) tokenBytes[0]) << 8) + tokenBytes[1];
+ if (tokenType != tokenIDRecv) {
+ throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1,
+ "Token ID should be " + tokenType + " instead of " + tokenIDRecv);
+ }
+
+ sgnAlg = (((int) tokenBytes[2]) << 8) + tokenBytes[3];
+ sealAlg = (((int) tokenBytes[4]) << 8) + tokenBytes[5];
+
+ if (tokenBytes[6] != (byte) 0xFF || tokenBytes[7] != (byte) 0xFF) {
+ throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid token head filler");
+ }
+
+ prop.setQOP(0);
+ prop.setPrivacy(sealAlg != SEAL_ALG_NONE);
+ }
+
+ protected GSSHeader getGssHeader() {
+ return gssHeader;
+ }
+
+ abstract int getTokenSizeWithoutGssHeader();
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8432c1a8/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssTokenV2.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssTokenV2.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssTokenV2.java
new file mode 100644
index 0000000..5220900
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssTokenV2.java
@@ -0,0 +1,282 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gss.impl;
+
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.MessageProp;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.security.MessageDigest;
+
+/**
+ * This class implements the token formats defined in RFC 4121.
+ */
+abstract class GssTokenV2 extends GssTokenBase {
+ public static final int CONFOUNDER_SIZE = 16;
+ public static final int TOKEN_HEADER_SIZE = 16;
+ private static final int OFFSET_EC = 4;
+ private static final int OFFSET_RRC = 6;
+
+ // context states
+ private boolean isInitiator = true;
+ private boolean acceptorSubKey = false;
+ private boolean confState = true;
+ private int sequenceNumber;
+
+ // token data
+ protected int tokenType;
+ private byte[] header = new byte[TOKEN_HEADER_SIZE];
+ protected byte[] tokenData;
+
+ protected byte[] checkSum;
+ private int ec;
+ private int rrc;
+
+ static final int KG_USAGE_ACCEPTOR_SEAL = 22;
+ static final int KG_USAGE_ACCEPTOR_SIGN = 23;
+ static final int KG_USAGE_INITIATOR_SEAL = 24;
+ static final int KG_USAGE_INITIATOR_SIGN = 25;
+ private int keyUsage;
+
+ private static final int FLAG_SENT_BY_ACCEPTOR = 1;
+ private static final int FLAG_SEALED = 2;
+ private static final int FLAG_ACCEPTOR_SUBKEY = 4;
+
+ protected GssEncryptor encryptor;
+
+
+ // Create a new token
+ GssTokenV2(int tokenType, GssContext context) throws GSSException {
+ initialize(tokenType, context, false);
+ }
+
+ private void initialize(int tokenType, GssContext context, boolean reconstruct) throws GSSException {
+ this.tokenType = tokenType;
+ this.isInitiator = context.isInitiator();
+ this.acceptorSubKey = context.getKeyComesFrom() == GssContext.ACCEPTOR_SUBKEY;
+ this.confState = context.getConfState();
+
+ boolean usageFlag = reconstruct ? !this.isInitiator : this.isInitiator;
+ if (tokenType == TOKEN_WRAP_V2) {
+ keyUsage = usageFlag ? KG_USAGE_INITIATOR_SEAL : KG_USAGE_ACCEPTOR_SEAL;
+ } else if (tokenType == TOKEN_MIC_V2) {
+ keyUsage = usageFlag ? KG_USAGE_INITIATOR_SIGN : KG_USAGE_ACCEPTOR_SIGN;
+ }
+
+ encryptor = context.getGssEncryptor();
+
+ if (!reconstruct) {
+ this.sequenceNumber = context.incMySequenceNumber();
+ }
+ }
+
+ // Reconstruct token from bytes received
+ GssTokenV2(int tokenType, GssContext context,
+ MessageProp prop, byte[] token, int offset, int len) throws GSSException {
+ this(tokenType, context, prop, new ByteArrayInputStream(token, offset, len));
+ }
+
+ // Reconstruct token from input stream
+ GssTokenV2(int tokenType, GssContext context,
+ MessageProp prop, InputStream is) throws GSSException {
+ initialize(tokenType, context, true);
+
+ if (!confState) {
+ prop.setPrivacy(false);
+ }
+
+ reconstructTokenHeader(prop, is);
+
+ int minSize;
+ if (tokenType == TOKEN_WRAP_V2 && prop.getPrivacy()) {
+ minSize = CONFOUNDER_SIZE + TOKEN_HEADER_SIZE + encryptor.getCheckSumSize();
+ } else {
+ minSize = encryptor.getCheckSumSize();
+ }
+
+ try {
+ int tokenLen = is.available();
+
+ if (tokenType == TOKEN_MIC_V2) {
+ tokenLen = minSize;
+ tokenData = new byte[tokenLen];
+ is.read(tokenData);
+ } else {
+ if (tokenLen >= minSize) {
+ tokenData = new byte[tokenLen];
+ is.read(tokenData);
+ } else {
+ throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid token length");
+ }
+ }
+
+ if (tokenType == TOKEN_WRAP_V2) {
+ tokenData = rotate(tokenData);
+ }
+
+ if (tokenType == TOKEN_MIC_V2
+ || tokenType == TOKEN_WRAP_V2 && !prop.getPrivacy()) {
+ int checksumLen = encryptor.getCheckSumSize();
+
+ if (tokenType != TOKEN_MIC_V2 && checksumLen != ec) {
+ throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid EC");
+ }
+
+ checkSum = new byte[checksumLen];
+ System.arraycopy(tokenData, tokenLen - checksumLen, checkSum, 0, checksumLen);
+ }
+ } catch (IOException e) {
+ throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid token");
+ }
+ }
+
+ private byte[] rotate(byte[] data) {
+ int dataLen = data.length;
+ if (rrc % dataLen != 0) {
+ rrc = rrc % dataLen;
+ byte[] newBytes = new byte[dataLen];
+
+ System.arraycopy(data, rrc, newBytes, 0, dataLen - rrc);
+ System.arraycopy(data, 0, newBytes, dataLen - rrc, rrc);
+ data = newBytes;
+ }
+ return data;
+ }
+
+ public int getKeyUsage() {
+ return keyUsage;
+ }
+
+ public void generateCheckSum(MessageProp prop, byte[] data, int offset, int len) throws GSSException {
+ // generate token header
+ createTokenHeader(prop.getPrivacy());
+
+ if (tokenType == TOKEN_MIC_V2
+ || !prop.getPrivacy() && tokenType == TOKEN_WRAP_V2) {
+ checkSum = getCheckSum(data, offset, len);
+ }
+
+ if (!prop.getPrivacy() && tokenType == TOKEN_WRAP_V2) {
+ header[4] = (byte) (checkSum.length >>> 8);
+ header[5] = (byte) (checkSum.length & 0xFF);
+ }
+ }
+
+ public byte[] getCheckSum(byte[] data, int offset, int len) throws GSSException {
+ int confidentialFlag = header[2] & 2;
+ if (confidentialFlag == 0 && tokenType == TOKEN_WRAP_V2) {
+ header[4] = 0;
+ header[5] = 0;
+ header[6] = 0;
+ header[7] = 0;
+ }
+ return encryptor.calculateCheckSum(header, data, offset, len, keyUsage);
+ }
+
+ public boolean verifyCheckSum(byte[] data, int offset, int len) throws GSSException {
+ byte[] dataCheckSum = getCheckSum(data, offset, len);
+ return MessageDigest.isEqual(checkSum, dataCheckSum);
+ }
+
+ // Create a new header
+ private void createTokenHeader(boolean privacy) {
+ header[0] = (byte) (tokenType >>> 8);
+ header[1] = (byte) tokenType;
+
+ int flags = isInitiator ? 0 : FLAG_SENT_BY_ACCEPTOR;
+ flags |= privacy && tokenType != TOKEN_MIC_V2 ? FLAG_SEALED : 0;
+ flags |= acceptorSubKey ? FLAG_ACCEPTOR_SUBKEY : 0;
+
+ header[2] = (byte) (flags & 0xFF);
+ header[3] = (byte) 0xFF;
+
+ if (tokenType == TOKEN_WRAP_V2) {
+ header[4] = (byte) 0;
+ header[5] = (byte) 0;
+ header[6] = (byte) 0;
+ header[7] = (byte) 0;
+ } else if (tokenType == TOKEN_MIC_V2) {
+ header[4] = (byte) 0xFF;
+ header[5] = (byte) 0xFF;
+ header[6] = (byte) 0xFF;
+ header[7] = (byte) 0xFF;
+ }
+ writeBigEndian(header, 12, sequenceNumber);
+ }
+
+ // Reconstruct a token header
+ private void reconstructTokenHeader(MessageProp prop, InputStream is) throws GSSException {
+ try {
+ if (is.read(header, 0, header.length) != header.length) {
+ throw new GSSException(GSSException.FAILURE, -1, "Token header can not be read");
+ }
+ int tokenIDRecv = (((int) header[0]) << 8) + header[1];
+ if (tokenIDRecv != tokenType) {
+ throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1,
+ "Token ID should be " + tokenType + " instead of " + tokenIDRecv);
+ }
+
+ int senderFlag = isInitiator ? FLAG_SENT_BY_ACCEPTOR : 0;
+ int senderFlagRecv = header[2] & FLAG_SENT_BY_ACCEPTOR;
+ if (senderFlagRecv != senderFlag) {
+ throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid acceptor flag");
+ }
+
+ int confFlagRecv = header[2] & FLAG_SEALED;
+ if (confFlagRecv == FLAG_SEALED && tokenType == TOKEN_WRAP_V2) {
+ prop.setPrivacy(true);
+ } else {
+ prop.setPrivacy(false);
+ }
+
+ if (tokenType == TOKEN_WRAP_V2) {
+ if (header[3] != (byte) 0xFF) {
+ throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid token filler");
+ }
+
+ ec = readBigEndian(header, OFFSET_EC, 2);
+ rrc = readBigEndian(header, OFFSET_RRC, 2);
+ } else if (tokenType == TOKEN_MIC_V2) {
+ for (int i = 3; i < 8; i++) {
+ if ((header[i] & 0xFF) != 0xFF) {
+ throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid token filler");
+ }
+ }
+ }
+
+ prop.setQOP(0);
+ sequenceNumber = readBigEndian(header, 0, 8);
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Phrase token header failed");
+ }
+ }
+
+ public int encodeHeader(byte[] buf, int offset) {
+ System.arraycopy(header, 0, buf, offset, TOKEN_HEADER_SIZE);
+ return TOKEN_HEADER_SIZE;
+ }
+
+ public void encodeHeader(OutputStream os) throws IOException {
+ os.write(header);
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8432c1a8/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssUtil.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssUtil.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssUtil.java
new file mode 100644
index 0000000..372abcb
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssUtil.java
@@ -0,0 +1,386 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gss.impl;
+
+import org.apache.kerby.kerberos.kerb.KrbException;
+import org.apache.kerby.kerberos.kerb.client.KrbClientBase;
+import org.apache.kerby.kerberos.kerb.type.KerberosTime;
+import org.apache.kerby.kerberos.kerb.type.ad.AuthorizationData;
+import org.apache.kerby.kerberos.kerb.type.ad.AuthorizationDataEntry;
+import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
+import org.apache.kerby.kerberos.kerb.type.base.HostAddress;
+import org.apache.kerby.kerberos.kerb.type.base.HostAddresses;
+import org.apache.kerby.kerberos.kerb.type.base.PrincipalName;
+import org.apache.kerby.kerberos.kerb.type.kdc.EncAsRepPart;
+import org.apache.kerby.kerberos.kerb.type.kdc.EncKdcRepPart;
+import org.apache.kerby.kerberos.kerb.type.kdc.EncTgsRepPart;
+import org.apache.kerby.kerberos.kerb.type.ticket.KrbTicket;
+import org.apache.kerby.kerberos.kerb.type.ticket.SgtTicket;
+import org.apache.kerby.kerberos.kerb.type.ticket.TgtTicket;
+import org.apache.kerby.kerberos.kerb.type.ticket.Ticket;
+import org.apache.kerby.kerberos.kerb.type.ticket.TicketFlags;
+import org.ietf.jgss.GSSException;
+import sun.security.jgss.GSSCaller;
+
+import javax.crypto.SecretKey;
+import javax.security.auth.kerberos.KerberosKey;
+import javax.security.auth.kerberos.KerberosPrincipal;
+import javax.security.auth.kerberos.KerberosTicket;
+import java.io.File;
+import java.io.IOException;
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+import java.nio.ByteBuffer;
+import java.security.AccessController;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
+import java.util.Date;
+import java.util.List;
+
+/**
+ * Some utility functions to translate types between GSS and Kerby
+ */
+public class GssUtil {
+ private static final int KERBEROS_TICKET_NUM_FLAGS = 32; // KerberosTicket.NUM_LENGTH
+
+ /**
+ * Construct TgtTicket from info contained in KerberosTicket
+ * @param kerberosTicket
+ * @return
+ * @throws GSSException
+ */
+ public static TgtTicket getTgtTicketFromKerberosTicket(KerberosTicket kerberosTicket) throws GSSException {
+ String clientName = kerberosTicket.getClient().getName();
+ PrincipalName clientPrincipal = new PrincipalName(clientName);
+
+ byte[] asn1Encoded = kerberosTicket.getEncoded();
+ Ticket ticket = getTicketFromAsn1Encoded(asn1Encoded);
+
+ EncAsRepPart encAsRepPart = new EncAsRepPart();
+ fillEncKdcRepPart(encAsRepPart, kerberosTicket);
+
+ TgtTicket tgt = new TgtTicket(ticket, encAsRepPart, clientPrincipal);
+ return tgt;
+ }
+
+ /**
+ * Init encKdcRepPart members with info from kerberosTicket
+ * @param encKdcRepPart
+ * @param kerberosTicket
+ */
+ public static void fillEncKdcRepPart(EncKdcRepPart encKdcRepPart, KerberosTicket kerberosTicket) {
+ String clientName = kerberosTicket.getClient().getName();
+ PrincipalName clientPrincipal = new PrincipalName(clientName);
+
+ SecretKey secretKey = kerberosTicket.getSessionKey();
+ int keyType = kerberosTicket.getSessionKeyType();
+ EncryptionKey key = new EncryptionKey(keyType, secretKey.getEncoded());
+ encKdcRepPart.setKey(key);
+
+ encKdcRepPart.setSname(clientPrincipal);
+ Date authTimeDate = kerberosTicket.getAuthTime();
+ if (authTimeDate != null) {
+ encKdcRepPart.setAuthTime(new KerberosTime(authTimeDate.getTime()));
+ }
+ Date startTimeDate = kerberosTicket.getStartTime();
+ if (startTimeDate != null) {
+ encKdcRepPart.setStartTime(new KerberosTime(startTimeDate.getTime()));
+ }
+ KerberosTime endTime = new KerberosTime(kerberosTicket.getEndTime().getTime());
+ encKdcRepPart.setEndTime(endTime);
+
+
+ InetAddress[] clientAddresses = kerberosTicket.getClientAddresses();
+ HostAddresses hostAddresses = null;
+ if (clientAddresses != null) {
+ hostAddresses = new HostAddresses();
+ for (InetAddress iAddr : clientAddresses) {
+ hostAddresses.add(new HostAddress(iAddr));
+ }
+ }
+ encKdcRepPart.setCaddr(hostAddresses);
+
+ boolean[] tf = kerberosTicket.getFlags();
+ TicketFlags ticketFlags = getTicketFlags(tf);
+ encKdcRepPart.setFlags(ticketFlags);
+
+
+ /* encKdcRepPart.setKeyExpiration();
+ encKdcRepPart.setLastReq();
+ encKdcRepPart.setNonce(); */
+
+ Date renewTillDate = kerberosTicket.getRenewTill();
+ KerberosTime renewTill = renewTillDate == null ? null : new KerberosTime(renewTillDate.getTime());
+ encKdcRepPart.setRenewTill(renewTill);
+
+ String serverRealm = kerberosTicket.getServer().getRealm();
+ encKdcRepPart.setSrealm(serverRealm);
+ }
+
+ /**
+ * Generate TicketFlags instance from flags
+ * @param flags each item in flags identifies an bit setted or not
+ * @return
+ */
+ public static TicketFlags getTicketFlags(boolean[] flags) {
+ if (flags == null || flags.length != KERBEROS_TICKET_NUM_FLAGS) {
+ return null;
+ }
+ int value = 0;
+ for (boolean flag : flags) {
+ value = (value << 1) + (flag ? 1 : 0);
+ }
+ return new TicketFlags(value);
+ }
+
+ /**
+ * Decode each flag in ticketFlags into an boolean array
+ * @param ticketFlags
+ * @return
+ */
+ public static boolean[] ticketFlagsToBooleans(TicketFlags ticketFlags) {
+ boolean[] ret = new boolean[KERBEROS_TICKET_NUM_FLAGS];
+ int value = ticketFlags.getFlags();
+ for (int i = 0; i < KERBEROS_TICKET_NUM_FLAGS; i++) {
+ ret[KERBEROS_TICKET_NUM_FLAGS - i - 1] = (value & 0x1) != 0;
+ value = value >> 1;
+ }
+ return ret;
+ }
+
+ /**
+ * Construct a Ticket from bytes encoded by Asn1
+ * @param encoded
+ * @return
+ * @throws GSSException
+ */
+ public static Ticket getTicketFromAsn1Encoded(byte[] encoded) throws GSSException {
+ Ticket ticket = new Ticket();
+ ByteBuffer byteBuffer = ByteBuffer.wrap(encoded);
+ try {
+ ticket.decode(byteBuffer);
+ return ticket;
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, e.getMessage());
+ }
+ }
+
+ /**
+ * Scan current context for SgtTicket
+ * @param client
+ * @param service
+ * @return
+ */
+ public static SgtTicket getSgtCredentialFromContext(GSSCaller caller, String client, String service)
+ throws GSSException {
+ KerberosTicket ticket = CredUtils.getKerberosTicketFromContext(caller, client, service);
+ return getSgtTicketFromKerberosTicket(ticket);
+ }
+
+ /**
+ * Construct a SgtTicket from KerberosTicket
+ * @param kerberosTicket
+ * @return
+ * @throws GSSException
+ */
+ public static SgtTicket getSgtTicketFromKerberosTicket(KerberosTicket kerberosTicket) throws GSSException {
+ if (kerberosTicket == null) {
+ return null;
+ }
+
+ Ticket ticket = getTicketFromAsn1Encoded(kerberosTicket.getEncoded());
+
+ EncTgsRepPart encTgsRepPart = new EncTgsRepPart();
+ fillEncKdcRepPart(encTgsRepPart, kerberosTicket);
+
+ SgtTicket sgt = new SgtTicket(ticket, encTgsRepPart);
+ return sgt;
+ }
+
+ /**
+ * Apply SgtTicket by sending TGS_REQ to KDC
+ * @param ticket
+ * @param service
+ * @return
+ */
+ public static SgtTicket applySgtCredential(KerberosTicket ticket, String service) throws GSSException {
+ TgtTicket tgt = getTgtTicketFromKerberosTicket(ticket);
+ return applySgtCredential(tgt, service);
+ }
+
+ public static SgtTicket applySgtCredential(TgtTicket tgt, String server) throws GSSException {
+ KrbClientBase client = getKrbClient();
+
+ SgtTicket sgt = null;
+ try {
+ client.init();
+ sgt = client.requestSgt(tgt, server);
+ return sgt;
+ } catch (KrbException e) {
+ throw new GSSException(GSSException.FAILURE, -1, e.getMessage());
+ }
+ }
+
+ public static KerberosTicket convertKrbTicketToKerberosTicket(KrbTicket krbTicket, String clientName)
+ throws GSSException {
+ byte[] asn1Encoding;
+ try {
+ asn1Encoding = krbTicket.getTicket().encode();
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, e.getMessage());
+ }
+
+ byte[] sessionKey = krbTicket.getSessionKey().getKeyData();
+ int keyType = krbTicket.getSessionKey().getKeyType().getValue();
+
+ EncKdcRepPart encKdcRepPart = krbTicket.getEncKdcRepPart();
+ KerberosPrincipal client = new KerberosPrincipal(clientName);
+
+ PrincipalName serverPrinc = krbTicket.getTicket().getSname();
+ String serverName = serverPrinc.getName() + "@" + krbTicket.getTicket().getRealm();
+ KerberosPrincipal server = new KerberosPrincipal(serverName, serverPrinc.getNameType().getValue());
+
+ TicketFlags ticketFlags = encKdcRepPart.getFlags();
+ boolean[] flags = ticketFlagsToBooleans(ticketFlags);
+
+ Date authTime = new Date(encKdcRepPart.getAuthTime().getTime());
+ Date startTime = new Date(encKdcRepPart.getStartTime().getTime());
+ Date endTime = new Date(encKdcRepPart.getEndTime().getTime());
+ Date renewTill = new Date(encKdcRepPart.getRenewTill().getTime());
+
+ InetAddress[] clientAddresses = null;
+ List<HostAddress> hostAddresses = encKdcRepPart.getCaddr().getElements();
+ if (hostAddresses != null) {
+ int i = 0;
+ clientAddresses = new InetAddress[hostAddresses.size()];
+ for (HostAddress hostAddr : hostAddresses) {
+ try {
+ InetAddress iAddr = InetAddress.getByAddress(hostAddr.getAddress());
+ clientAddresses[i++] = iAddr;
+ } catch (UnknownHostException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Bad client address");
+ }
+ }
+ }
+
+ KerberosTicket ticket = new KerberosTicket(
+ asn1Encoding,
+ client,
+ server,
+ sessionKey,
+ keyType,
+ flags,
+ authTime,
+ startTime,
+ endTime,
+ renewTill,
+ clientAddresses
+ );
+ return ticket;
+ }
+
+ public static KrbClientBase getKrbClient() {
+ KrbClientBase client;
+ try {
+ File confSpecified = new File(getSystemProperty("java.security.krb5.conf"));
+ if (confSpecified != null) {
+ client = new KrbClientBase(confSpecified);
+ } else {
+ client = new KrbClientBase(); // get configure file from environment variable or default path
+ }
+
+ return client;
+ } catch (KrbException e) {
+ return null;
+ }
+ }
+
+ public static EncryptionKey[] convertKerberosKeyToEncryptionKey(KerberosKey[] krbKeys) {
+ if (krbKeys == null) {
+ return null;
+ }
+ EncryptionKey[] keys = new EncryptionKey[krbKeys.length];
+ int i = 0;
+ for (KerberosKey krbKey : krbKeys) {
+ keys[i++] = new EncryptionKey(krbKey.getKeyType(), krbKey.getEncoded());
+ }
+ return keys;
+ }
+
+ /**
+ * Filter out an appropriate KerberosKey from krbKeys and generate a
+ * EncryptionKey accordingly
+ *
+ * @param krbKeys
+ * @param encType
+ * @param kvno
+ * @return
+ */
+ public static EncryptionKey getEncryptionKey(KerberosKey[] krbKeys, int encType, int kvno) {
+ if (krbKeys == null) {
+ return null;
+ }
+ for (KerberosKey krbKey : krbKeys) {
+ if (krbKey.getKeyType() == encType && krbKey.getVersionNumber() == kvno && !krbKey.isDestroyed()) {
+ return new EncryptionKey(krbKey.getKeyType(), krbKey.getEncoded());
+ }
+ }
+ return null;
+ }
+
+ /**
+ * Get value of predefined system property
+ * @param name
+ * @return
+ */
+ private static String getSystemProperty(String name) {
+ if (name == null) {
+ return null;
+ }
+
+ final String propertyName = name;
+ try {
+ return AccessController.doPrivileged(
+ new PrivilegedExceptionAction<String>() {
+ public String run() {
+ return System.getProperty(propertyName);
+ }
+ });
+ } catch (PrivilegedActionException e) {
+ return null; // ignored
+ }
+ }
+
+ public static com.sun.security.jgss.AuthorizationDataEntry[]
+ kerbyAuthorizationDataToJgssAuthorizationDataEntries(AuthorizationData authData) {
+ if (authData == null) {
+ return null;
+ }
+ List<AuthorizationDataEntry> kerbyEntries = authData.getElements();
+ com.sun.security.jgss.AuthorizationDataEntry[] entries =
+ new com.sun.security.jgss.AuthorizationDataEntry[kerbyEntries.size()];
+ for (int i = 0; i < kerbyEntries.size(); i++) {
+ entries[i] = new com.sun.security.jgss.AuthorizationDataEntry(
+ kerbyEntries.get(i).getAuthzType().getValue(),
+ kerbyEntries.get(i).getAuthzData());
+ }
+ return entries;
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8432c1a8/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/MicTokenV1.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/MicTokenV1.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/MicTokenV1.java
new file mode 100644
index 0000000..63baa6b
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/MicTokenV1.java
@@ -0,0 +1,92 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gss.impl;
+
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.MessageProp;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+
+public class MicTokenV1 extends GssTokenV1 {
+ public MicTokenV1(GssContext context,
+ byte[] inMsg,
+ int msgOffset,
+ int msgLength,
+ MessageProp messageProp) throws GSSException {
+ super(TOKEN_MIC_V1, context);
+ calcPrivacyInfo(messageProp, null, inMsg, msgOffset, msgLength, 0);
+ }
+
+ // This is called to construct MicToken from MicToken bytes
+ MicTokenV1(GssContext context,
+ MessageProp messageProp,
+ byte[] inToken,
+ int tokenOffset,
+ int tokenLength) throws GSSException {
+ super(TOKEN_MIC_V1, context, messageProp, inToken, tokenOffset, tokenLength);
+ }
+
+ public int getMic(byte[] outToken, int offset) throws GSSException, IOException {
+ byte[] data = getMic();
+ System.arraycopy(data, 0, outToken, offset, data.length);
+ return data.length;
+ }
+
+ /**
+ * Get bytes for this Mic token
+ * @return
+ */
+ public byte[] getMic() throws GSSException {
+ ByteArrayOutputStream os = new ByteArrayOutputStream(64);
+ getMic(os);
+ return os.toByteArray();
+ }
+
+ public void getMic(OutputStream os) throws GSSException {
+ try {
+ encodeHeader(os);
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Error in output MicTokenV1 bytes:" + e.getMessage());
+ }
+ }
+
+ public void verify(InputStream is) throws GSSException {
+ byte[] data;
+ try {
+ data = new byte[is.available()];
+ is.read(data);
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1,
+ "Read plain data for MicTokenV1 error:" + e.getMessage());
+ }
+ verify(data, 0, data.length);
+ }
+
+ public void verify(byte[] data, int offset, int len) throws GSSException {
+ verifyToken(null, data, offset, len, 0);
+ }
+
+ protected int getTokenSizeWithoutGssHeader() {
+ return getTokenHeaderSize();
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8432c1a8/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/MicTokenV2.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/MicTokenV2.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/MicTokenV2.java
new file mode 100644
index 0000000..2441823
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/MicTokenV2.java
@@ -0,0 +1,94 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gss.impl;
+
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.MessageProp;
+
+import java.io.IOException;
+import java.io.OutputStream;
+
+public class MicTokenV2 extends GssTokenV2 {
+ private MessageProp prop;
+
+ // This is called to construct MicToken from user input
+ MicTokenV2(GssContext context,
+ byte[] inMsg,
+ int msgOffset,
+ int msgLength,
+ MessageProp messageProp) throws GSSException {
+ super(TOKEN_MIC_V2, context);
+
+ prop = messageProp;
+ if (prop == null) {
+ prop = new MessageProp(0, false);
+ }
+
+ generateCheckSum(prop, inMsg, msgOffset, msgLength);
+ }
+
+ // This is called to construct MicToken from MicToken bytes
+ MicTokenV2(GssContext context,
+ MessageProp messageProp,
+ byte[] inToken,
+ int tokenOffset,
+ int tokenLength) throws GSSException {
+ super(TOKEN_MIC_V2, context, messageProp, inToken, tokenOffset, tokenLength);
+ this.prop = messageProp;
+ }
+
+ public int getMic(byte[] outToken, int offset) {
+ encodeHeader(outToken, offset);
+ System.arraycopy(checkSum, 0, outToken, TOKEN_HEADER_SIZE + offset, checkSum.length);
+ return TOKEN_HEADER_SIZE + checkSum.length;
+ }
+
+ /**
+ * Get bytes for this Mic token
+ * @return
+ */
+ public byte[] getMic() {
+ byte[] ret = new byte[TOKEN_HEADER_SIZE + checkSum.length];
+ getMic(ret, 0);
+ return ret;
+ }
+
+ public void getMic(OutputStream os) throws GSSException {
+ try {
+ encodeHeader(os);
+ os.write(checkSum);
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Output MicTokenV2 error:" + e.getMessage());
+ }
+ }
+
+ /**
+ * Calculate the checksum for inMsg and compare with it with this token, throw GssException if not equal
+ * @param inMsg
+ * @param msgOffset
+ * @param msgLen
+ * @throws GSSException
+ */
+ public void verify(byte[] inMsg, int msgOffset, int msgLen) throws GSSException {
+ if (!verifyCheckSum(inMsg, msgOffset, msgLen)) {
+ throw new GSSException(GSSException.BAD_MIC, -1, "Corrupt MIC token");
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8432c1a8/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/WrapTokenV1.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/WrapTokenV1.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/WrapTokenV1.java
new file mode 100644
index 0000000..03395bb
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/WrapTokenV1.java
@@ -0,0 +1,196 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gss.impl;
+
+import org.apache.kerby.kerberos.kerb.crypto.util.Random;
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.MessageProp;
+import sun.security.jgss.GSSHeader;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+
+public class WrapTokenV1 extends GssTokenV1 {
+ public static final int CONFOUNDER_SIZE = 8;
+
+ private boolean privacy;
+
+ private byte[] inData;
+ private int inOffset;
+ private int inLen;
+
+ private int paddingLen;
+ private byte[] confounder;
+ private int tokenBodyLen;
+
+ private byte[] bodyData;
+ private int bodyOffset;
+ private int bodyLen;
+
+ // for reconstruct
+ private int rawDataLength;
+ private byte[] rawData;
+ private int rawDataOffset;
+
+
+ // Generate wrap token according user data
+ public WrapTokenV1(GssContext context,
+ byte[] inMsg,
+ int msgOffset,
+ int msgLength,
+ MessageProp prop) throws GSSException {
+ super(TOKEN_WRAP_V1, context);
+
+ paddingLen = getPaddingLength(msgLength);
+ confounder = Random.makeBytes(CONFOUNDER_SIZE);
+ tokenBodyLen = CONFOUNDER_SIZE + msgLength + paddingLen;
+
+ calcPrivacyInfo(prop, confounder, inMsg, msgOffset, msgLength, paddingLen);
+
+ if (!context.getConfState()) {
+ prop.setPrivacy(false);
+ }
+ privacy = prop.getPrivacy();
+ inData = inMsg;
+ inOffset = msgOffset;
+ inLen = msgLength;
+ }
+
+ // Reconstruct a token from token bytes
+ public WrapTokenV1(GssContext context, MessageProp prop,
+ byte[] token, int offset, int len) throws GSSException {
+ super(TOKEN_WRAP_V1, context, prop, token, offset, len);
+ // adjust the offset to the beginning of the body
+ bodyData = token;
+ bodyOffset = offset + reconHeaderLen;
+ bodyLen = len - reconHeaderLen;
+ getRawData(prop);
+ }
+
+ // Reconstruct a token from token bytes stream
+ public WrapTokenV1(GssContext context, MessageProp prop, InputStream is) throws GSSException {
+ super(TOKEN_WRAP_V1, context, prop, is);
+ byte[] token;
+ int len;
+ try {
+ len = is.available();
+ token = new byte[len];
+ is.read(token);
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Read wrap token V1 error:" + e.getMessage());
+ }
+ bodyData = token;
+ bodyOffset = 0;
+ bodyLen = len;
+ getRawData(prop);
+ }
+
+ private void getRawData(MessageProp prop) throws GSSException {
+ privacy = prop.getPrivacy();
+ tokenBodyLen = getGssHeader().getMechTokenLength() - getTokenHeaderSize();
+
+ if (bodyLen < tokenBodyLen) {
+ throw new GSSException(GSSException.FAILURE, -1, "Insufficient data for Wrap token V1");
+ }
+
+ if (privacy) {
+ rawData = encryptor.encryptTokenV1(null, bodyData, bodyOffset, tokenBodyLen, 0,
+ encryptor.isArcFourHmac() ? getPlainSequenceBytes() : null, false);
+ paddingLen = rawData[rawData.length - 1];
+ rawDataOffset = CONFOUNDER_SIZE;
+ } else {
+ rawData = bodyData;
+ paddingLen = bodyData[bodyOffset + tokenBodyLen - 1];
+ rawDataOffset = bodyOffset + CONFOUNDER_SIZE;
+ }
+ rawDataLength = tokenBodyLen - CONFOUNDER_SIZE - paddingLen;
+
+ verifyToken(null, rawData, rawDataOffset - CONFOUNDER_SIZE, tokenBodyLen, 0);
+ }
+
+ // Get plain text data from token data bytes
+ public byte[] unwrap() throws GSSException {
+ byte[] ret = new byte[rawDataLength];
+ System.arraycopy(rawData, rawDataOffset, ret, 0, rawDataLength);
+ return ret;
+ }
+
+ public void unwrap(OutputStream os) throws GSSException {
+ try {
+ os.write(rawData, rawDataOffset, rawDataLength);
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1,
+ "Error in output wrap token v1 data bytes:" + e.getMessage());
+ }
+ }
+
+ public byte[] wrap() throws GSSException {
+ ByteArrayOutputStream os = new ByteArrayOutputStream(getTokenSizeWithoutGssHeader() + inLen + 64);
+ wrap(os);
+ return os.toByteArray();
+ }
+
+ public void wrap(OutputStream os) throws GSSException {
+ try {
+ encodeHeader(os);
+ if (privacy) {
+ byte[] enc = encryptor.encryptTokenV1(confounder, inData, inOffset, inLen, paddingLen,
+ encryptor.isArcFourHmac() ? getPlainSequenceBytes() : null, true);
+ os.write(enc);
+ } else {
+ os.write(confounder);
+ os.write(inData, inOffset, inLen);
+ os.write(getPaddingBytes(paddingLen));
+ }
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Error in output wrap token v1 bytes:" + e.getMessage());
+ }
+ }
+
+ protected int getTokenSizeWithoutGssHeader() {
+ return tokenBodyLen + getTokenHeaderSize();
+ }
+
+ private int getPaddingLength(int dataLen) {
+ if (encryptor.isArcFourHmac()) {
+ return 1;
+ }
+ return 8 - (dataLen % 8);
+ }
+
+ private byte[] getPaddingBytes(int len) {
+ byte[] ret = new byte[len];
+ int i = 0;
+ while (i < len) {
+ ret[i++] = (byte) len;
+ }
+ return ret;
+ }
+
+ public static int getMsgSizeLimit(int qop, boolean confReq, int maxTokSize, GssEncryptor encryptor)
+ throws GSSException {
+ return GSSHeader.getMaxMechTokenSize(objId, maxTokSize)
+ - encryptor.getCheckSumSize()
+ - TOKEN_HEADER_COMM_SIZE - TOKEN_HEADER_SEQ_SIZE
+ - CONFOUNDER_SIZE - 8;
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8432c1a8/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/WrapTokenV2.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/WrapTokenV2.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/WrapTokenV2.java
new file mode 100644
index 0000000..3161e2f
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/WrapTokenV2.java
@@ -0,0 +1,158 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gss.impl;
+
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.MessageProp;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+
+
+public class WrapTokenV2 extends GssTokenV2 {
+ private MessageProp prop;
+
+ // Generate a token from user input data
+ WrapTokenV2(GssContext context,
+ byte[] data,
+ int dataOffset,
+ int dataLength,
+ MessageProp messageProp) throws GSSException {
+ super(TOKEN_WRAP_V2, context);
+
+ prop = messageProp;
+
+ if (prop.getQOP() != 0) {
+ prop.setQOP(0);
+ }
+
+ if (!context.getConfState()) {
+ prop.setPrivacy(false);
+ }
+
+ generateCheckSum(prop, data, dataOffset, dataLength);
+
+ if (prop.getPrivacy()) {
+ byte[] toProcess = new byte[dataLength + TOKEN_HEADER_SIZE];
+ System.arraycopy(data, dataOffset, toProcess, 0, dataLength);
+ encodeHeader(toProcess, dataLength);
+
+ tokenData = encryptor.encryptData(toProcess, getKeyUsage());
+ } else {
+ tokenData = data; // keep it for now
+ }
+ }
+
+ /**
+ * Get bytes of the token
+ * @return
+ */
+ public byte[] wrap() {
+ int dataSize = tokenData.length;
+ int ckSize = checkSum == null ? 0 : checkSum.length;
+ byte[] ret = new byte[TOKEN_HEADER_SIZE + dataSize + ckSize];
+ encodeHeader(ret, 0);
+ System.arraycopy(tokenData, 0, ret, TOKEN_HEADER_SIZE, dataSize);
+ if (ckSize > 0) {
+ System.arraycopy(checkSum, 0, ret, TOKEN_HEADER_SIZE + dataSize, ckSize);
+ }
+ return ret;
+ }
+
+ public void wrap(OutputStream os) throws GSSException {
+ try {
+ encodeHeader(os);
+ os.write(tokenData);
+ int ckSize = checkSum == null ? 0 : checkSum.length;
+ if (ckSize > 0) {
+ os.write(checkSum);
+ }
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Output token error:" + e.getMessage());
+ }
+ }
+
+ // Reconstruct a token from token bytes
+ public WrapTokenV2(GssContext context, MessageProp prop, byte[] token, int offset, int len) throws GSSException {
+ super(TOKEN_WRAP_V2, context, prop, token, offset, len);
+ this.prop = prop;
+ }
+
+ // Reconstruct a token from token bytes stream
+ public WrapTokenV2(GssContext context, MessageProp prop, InputStream is) throws GSSException {
+ super(TOKEN_WRAP_V2, context, prop, is);
+ this.prop = prop;
+ }
+
+ /**
+ * Get plain text data from token bytes
+ * @param outBuffer
+ * @param offset
+ * @return plain text contained in the wrap token
+ * @throws GSSException
+ */
+ public byte[] unwrap(byte[] outBuffer, int offset) throws GSSException {
+ int lenToCopy;
+ if (prop.getPrivacy()) {
+ byte[] plainText = encryptor.decryptData(tokenData, getKeyUsage());
+ lenToCopy = plainText.length - TOKEN_HEADER_SIZE;
+ if (outBuffer == null) {
+ outBuffer = new byte[lenToCopy];
+ offset = 0;
+ }
+ System.arraycopy(plainText, 0, outBuffer, offset, lenToCopy);
+ } else {
+ lenToCopy = tokenData.length - encryptor.getCheckSumSize();
+ if (outBuffer == null) {
+ outBuffer = new byte[lenToCopy];
+ offset = 0;
+ }
+ System.arraycopy(tokenData, 0, outBuffer, offset, lenToCopy);
+
+ if (!verifyCheckSum(outBuffer, offset, lenToCopy)) {
+ throw new GSSException(GSSException.BAD_MIC, -1, "Corrupt token checksum");
+ }
+ }
+ return outBuffer;
+ }
+
+ public byte[] unwrap() throws GSSException {
+ return unwrap(null, 0);
+ }
+
+ public void unwrap(OutputStream os) throws GSSException {
+ byte[] data = unwrap();
+ try {
+ os.write(data);
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Output token error:" + e.getMessage());
+ }
+ }
+
+ public static int getMsgSizeLimit(int qop, boolean confReq, int maxTokSize, GssEncryptor encryptor)
+ throws GSSException {
+ if (confReq) {
+ return maxTokSize - encryptor.getCheckSumSize() - TOKEN_HEADER_SIZE * 2 - CONFOUNDER_SIZE;
+ } else {
+ return maxTokSize - encryptor.getCheckSumSize() - TOKEN_HEADER_SIZE;
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8432c1a8/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/KerbyMechFactory.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/KerbyMechFactory.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/KerbyMechFactory.java
deleted file mode 100644
index adacb27..0000000
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/KerbyMechFactory.java
+++ /dev/null
@@ -1,149 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.kerberos.kerb.gssapi;
-
-import org.apache.kerby.kerberos.kerb.gssapi.krb5.KerbyAcceptCred;
-import org.apache.kerby.kerberos.kerb.gssapi.krb5.KerbyContext;
-import org.apache.kerby.kerberos.kerb.gssapi.krb5.KerbyCredElement;
-import org.apache.kerby.kerberos.kerb.gssapi.krb5.KerbyInitCred;
-import org.apache.kerby.kerberos.kerb.gssapi.krb5.KerbyNameElement;
-import org.ietf.jgss.GSSCredential;
-import org.ietf.jgss.GSSException;
-import org.ietf.jgss.GSSName;
-import org.ietf.jgss.Oid;
-import sun.security.jgss.GSSCaller;
-import sun.security.jgss.spi.GSSContextSpi;
-import sun.security.jgss.spi.GSSCredentialSpi;
-import sun.security.jgss.spi.GSSNameSpi;
-import sun.security.jgss.spi.MechanismFactory;
-
-import java.security.Provider;
-
-/**
- * Kerby Kerberos V5 plugin for JGSS
- */
-public class KerbyMechFactory implements MechanismFactory {
- private static final Provider PROVIDER =
- new org.apache.kerby.kerberos.kerb.gssapi.Provider();
-
- private static final String KRB5_OID_STRING = "1.2.840.113554.1.2.2";
- private static final Oid KRB5_OID = createOid(KRB5_OID_STRING);
-
- private static Oid[] nameTypes =
- new Oid[] {
- GSSName.NT_USER_NAME,
- GSSName.NT_EXPORT_NAME,
- GSSName.NT_HOSTBASED_SERVICE
- };
-
- private final GSSCaller caller;
-
- public Oid getMechanismOid() {
- return KRB5_OID;
- }
-
- public Provider getProvider() {
- return PROVIDER;
- }
-
- public Oid[] getNameTypes() throws GSSException {
- return nameTypes;
- }
-
- public KerbyMechFactory(GSSCaller caller) {
- this.caller = caller;
- }
-
- public GSSNameSpi getNameElement(String nameStr, Oid nameType)
- throws GSSException {
- return KerbyNameElement.getInstance(nameStr, nameType);
- }
-
- public GSSNameSpi getNameElement(byte[] name, Oid nameType)
- throws GSSException {
- return KerbyNameElement.getInstance(name.toString(), nameType);
- }
-
- // Used by initiator
- public GSSContextSpi getMechanismContext(GSSNameSpi peer,
- GSSCredentialSpi myInitiatorCred,
- int lifetime) throws GSSException {
- if (peer != null && !(peer instanceof KerbyNameElement)) {
- peer = KerbyNameElement.getInstance(peer.toString(), peer.getStringNameType());
- }
- if (myInitiatorCred == null) {
- myInitiatorCred = getCredentialElement(null, lifetime, 0, GSSCredential.INITIATE_ONLY);
- }
- return new KerbyContext(caller, (KerbyNameElement) peer, (KerbyInitCred) myInitiatorCred, lifetime);
- }
-
- public GSSContextSpi getMechanismContext(GSSCredentialSpi myAcceptorCred)
- throws GSSException {
- if (myAcceptorCred == null) {
- myAcceptorCred = getCredentialElement(null, 0,
- GSSCredential.INDEFINITE_LIFETIME, GSSCredential.ACCEPT_ONLY);
- }
- return new KerbyContext(caller, (KerbyAcceptCred) myAcceptorCred);
- }
-
- // Reconstruct from previously exported context
- public GSSContextSpi getMechanismContext(byte[] exportedContext)
- throws GSSException {
- return new KerbyContext(caller, exportedContext);
- }
-
- public GSSCredentialSpi getCredentialElement(GSSNameSpi name,
- int initLifetime,
- int acceptLifetime,
- int usage)
- throws GSSException {
- if (name != null && !(name instanceof KerbyNameElement)) {
- name = KerbyNameElement.getInstance(name.toString(), name.getStringNameType());
- }
-
- KerbyCredElement credElement;
-
- if (usage == GSSCredential.INITIATE_ONLY) {
- credElement = KerbyInitCred.getInstance(caller, (KerbyNameElement) name, initLifetime);
- } else if (usage == GSSCredential.ACCEPT_ONLY) {
- credElement = KerbyAcceptCred.getInstance(caller, (KerbyNameElement) name, acceptLifetime);
- } else if (usage == GSSCredential.INITIATE_AND_ACCEPT) {
- throw new GSSException(GSSException.FAILURE, -1, "Unsupported usage mode: INITIATE_AND_ACCEPT");
- } else {
- throw new GSSException(GSSException.FAILURE, -1, "Unknown usage mode: " + usage);
- }
-
- return credElement;
- }
-
- private static Oid createOid(String oidStr) {
- Oid retVal;
- try {
- retVal = new Oid(oidStr);
- } catch (GSSException e) {
- retVal = null;
- }
- return retVal;
- }
-
- public static Oid getOid() {
- return KRB5_OID;
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8432c1a8/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/Provider.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/Provider.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/Provider.java
deleted file mode 100644
index ad3a614..0000000
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/Provider.java
+++ /dev/null
@@ -1,46 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.kerberos.kerb.gssapi;
-
-import java.security.AccessController;
-import java.security.PrivilegedAction;
-
-/**
- * Proivder is used to register the implementation of gssapi mechanism into the system
- */
-public final class Provider extends java.security.Provider {
- private static final long serialVersionUID = 3787378212107821987L;
- private static final String INFO = "Kerby GssApi Provider";
- private static final String MECHANISM_GSSAPI = "GssApiMechanism.1.2.840.113554.1.2.2";
- private static final String MECHANISM_GSSAPI_CLASS = "org.apache.kerby.kerberos.kerb.gssapi.KerbyMechFactory";
-
- public Provider() {
- super("KerbyGssApi", 0.01d, INFO);
-
- AccessController.doPrivileged(new PrivilegedAction<Void>() {
- public Void run() {
-
- put(MECHANISM_GSSAPI, MECHANISM_GSSAPI_CLASS);
-
- return null;
- }
- });
- }
-}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8432c1a8/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/CredUtils.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/CredUtils.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/CredUtils.java
deleted file mode 100644
index f7ddc31..0000000
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/CredUtils.java
+++ /dev/null
@@ -1,89 +0,0 @@
-package org.apache.kerby.kerberos.kerb.gssapi.krb5;
-
-import org.ietf.jgss.GSSException;
-import sun.security.jgss.GSSCaller;
-
-import javax.security.auth.Subject;
-import javax.security.auth.kerberos.*;
-import java.security.AccessControlContext;
-import java.security.AccessController;
-import java.security.PrivilegedActionException;
-import java.security.PrivilegedExceptionAction;
-import java.util.Set;
-
-/**
- * Utility functions to deal with credentials in Context
- */
-public class CredUtils {
-
- public static <T> Set<T> getContextPrivateCredentials(Class<T> credentialType, AccessControlContext acc) {
- Subject subject = Subject.getSubject(acc);
- Set<T> creds = subject.getPrivateCredentials(credentialType);
- return creds;
- }
-
- public static <T> Set<T> getContextCredentials(final Class<T> credentialType) throws GSSException {
- final AccessControlContext acc = AccessController.getContext();
- try {
- return AccessController.doPrivileged(
- new PrivilegedExceptionAction<Set<T>>() {
- public Set<T> run() throws Exception {
- return CredUtils.getContextPrivateCredentials(credentialType, acc);
- }
- });
- } catch (PrivilegedActionException e) {
- throw new GSSException(GSSException.NO_CRED, -1, "Get credential from context failed");
- }
- }
-
- public static KerberosTicket getKerberosTicketFromContext(GSSCaller caller,
- final String clientName,
- final String serverName) throws GSSException {
- Set<KerberosTicket> tickets = getContextCredentials(KerberosTicket.class);
- for (KerberosTicket ticket : tickets) {
- if (ticket.isCurrent() && (serverName == null || ticket.getServer().getName().equals(serverName))
- && (clientName == null || ticket.getClient().getName().equals(clientName))) {
- return ticket;
- }
- }
- return null;
- }
-
- public static KeyTab getKeyTabFromContext(KerberosPrincipal principal) throws GSSException {
- Set<KeyTab> tabs = getContextCredentials(KeyTab.class);
- for (KeyTab tab : tabs) {
- KerberosKey[] keys = tab.getKeys(principal);
- if (keys != null && keys.length > 0) {
- return tab;
- }
- }
- return null;
- }
-
- public static void addCredentialToSubject(final KerberosTicket ticket) throws GSSException {
- final AccessControlContext acc = AccessController.getContext();
-
- final Subject subject = AccessController.doPrivileged(
- new java.security.PrivilegedAction<Subject>() {
- public Subject run() {
- return Subject.getSubject(acc);
- }
- });
-
- AccessController.doPrivileged(
- new java.security.PrivilegedAction<Void>() {
- public Void run() {
- subject.getPrivateCredentials().add(ticket);
- return null;
- }
- });
- }
-
- public static void checkPrincipalPermission(String principalName, String action) {
- SecurityManager sm = System.getSecurityManager();
- if (sm != null) {
- ServicePermission sp = new ServicePermission(principalName, action);
- sm.checkPermission(sp);
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8432c1a8/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyAcceptCred.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyAcceptCred.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyAcceptCred.java
deleted file mode 100644
index a7331fa..0000000
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyAcceptCred.java
+++ /dev/null
@@ -1,72 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.kerberos.kerb.gssapi.krb5;
-
-
-import org.ietf.jgss.GSSException;
-import sun.security.jgss.GSSCaller;
-
-import javax.security.auth.kerberos.KerberosKey;
-import javax.security.auth.kerberos.KerberosPrincipal;
-import javax.security.auth.kerberos.KeyTab;
-
-public final class KerbyAcceptCred extends KerbyCredElement {
-
- private final KeyTab keyTab;
-
- public static KerbyAcceptCred getInstance(final GSSCaller caller,
- KerbyNameElement name, int lifeTime) throws GSSException {
-
- KerberosPrincipal princ = new KerberosPrincipal(name.getPrincipalName().getName(),
- name.getPrincipalName().getNameType().getValue());
- KeyTab keyTab = CredUtils.getKeyTabFromContext(princ);
-
- if (keyTab == null) {
- throw new GSSException(GSSException.NO_CRED, -1,
- "Failed to find any Kerberos credential for " + name.getPrincipalName().getName());
- }
-
- return new KerbyAcceptCred(caller, name, keyTab, lifeTime);
- }
-
- private KerbyAcceptCred(GSSCaller caller, KerbyNameElement name, KeyTab keyTab, int lifeTime) {
- super(caller, name);
- this.keyTab = keyTab;
- this.accLifeTime = lifeTime;
- }
-
- public boolean isInitiatorCredential() throws GSSException {
- return false;
- }
-
- public boolean isAcceptorCredential() throws GSSException {
- return true;
- }
-
- public KeyTab getKeyTab() {
- return this.keyTab;
- }
-
- public KerberosKey[] getKeys() {
- KerberosPrincipal princ = new KerberosPrincipal(name.getPrincipalName().getName(),
- name.getPrincipalName().getNameType().getValue());
- return keyTab.getKeys(princ);
- }
-}