You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by co...@apache.org on 2017/07/21 11:26:48 UTC
[01/50] [abbrv] directory-kerby git commit: NOTICE file in the root
folder only contain the AL2.0 and standard notice.
Repository: directory-kerby
Updated Branches:
refs/heads/gssapi f3876f97d -> 53aade434
NOTICE file in the root folder only contain the AL2.0 and standard notice.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/9210235a
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/9210235a
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/9210235a
Branch: refs/heads/gssapi
Commit: 9210235a9ca754e6e9020f0e5f53c6fac675ab53
Parents: 27aeb3c
Author: plusplusjiajia <ji...@intel.com>
Authored: Wed May 25 16:42:14 2016 +0800
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 12:25:02 2017 +0100
----------------------------------------------------------------------
NOTICE | 6 ++++++
NOTICE.txt | 18 ------------------
2 files changed, 6 insertions(+), 18 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/9210235a/NOTICE
----------------------------------------------------------------------
diff --git a/NOTICE b/NOTICE
new file mode 100644
index 0000000..9503483
--- /dev/null
+++ b/NOTICE
@@ -0,0 +1,6 @@
+Apache Kerby
+Copyright 2015-2016 The Apache Software Foundation
+
+This product includes software developed at
+The Apache Software Foundation (http://www.apache.org/).
+
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/9210235a/NOTICE.txt
----------------------------------------------------------------------
diff --git a/NOTICE.txt b/NOTICE.txt
deleted file mode 100644
index e3bad4e..0000000
--- a/NOTICE.txt
+++ /dev/null
@@ -1,18 +0,0 @@
-Apache Kerby
-Copyright 2015 The Apache Software Foundation
-
-This product includes software developed at
-The Apache Software Foundation (http://www.apache.org/).
-
-
-This product includes/uses SLF4J (http://www.slf4j.org/)
-Copyright (c) 2004-2016 QOS.ch
-
-This product includes/uses JUnit (http://www.junit.org/)
-Copyright (c) 2002-2016 JUnit.
-
-This product includes/uses Gson (https://github.com/google/gson)
-Copyright (c) 2008 Google Inc.
-
-This product includes/uses Netty (http://netty.io/)
-Copyright (c) 2016 The Netty project
\ No newline at end of file
[39/50] [abbrv] directory-kerby git commit: DIRKRB-588 - Support
validation keys in different formats Note: Introducing a Commons IO
dependency as part of this patch
Posted by co...@apache.org.
DIRKRB-588 - Support validation keys in different formats
Note: Introducing a Commons IO dependency as part of this patch
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/a2beb881
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/a2beb881
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/a2beb881
Branch: refs/heads/gssapi
Commit: a2beb881a862c96b04e39265cc3e776a5d87e5c2
Parents: 050c3d0
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Thu Jun 16 10:35:04 2016 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 12:25:51 2017 +0100
----------------------------------------------------------------------
kerby-kerb/kerb-common/pom.xml | 6 ++
.../kerberos/kerb/common/PublicKeyReader.java | 60 +++++++++-----------
pom.xml | 1 +
3 files changed, 35 insertions(+), 32 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/a2beb881/kerby-kerb/kerb-common/pom.xml
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-common/pom.xml b/kerby-kerb/kerb-common/pom.xml
index 2272c96..779c391 100644
--- a/kerby-kerb/kerb-common/pom.xml
+++ b/kerby-kerb/kerb-common/pom.xml
@@ -36,5 +36,11 @@
<artifactId>kerb-crypto</artifactId>
<version>${project.version}</version>
</dependency>
+ <dependency>
+ <groupId>commons-io</groupId>
+ <artifactId>commons-io</artifactId>
+ <version>${commons-io.version}</version>
+ <scope>compile</scope>
+ </dependency>
</dependencies>
</project>
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/a2beb881/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/PublicKeyReader.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/PublicKeyReader.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/PublicKeyReader.java
index 49b2012..988d259 100644
--- a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/PublicKeyReader.java
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/PublicKeyReader.java
@@ -19,56 +19,52 @@
*/
package org.apache.kerby.kerberos.kerb.common;
-import org.apache.kerby.util.Base64;
-
-import java.io.BufferedReader;
-import java.io.IOException;
+import java.io.ByteArrayInputStream;
import java.io.InputStream;
-import java.io.InputStreamReader;
-import java.nio.charset.StandardCharsets;
import java.security.KeyFactory;
-import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateFactory;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.X509EncodedKeySpec;
+import org.apache.commons.io.IOUtils;
+import org.apache.kerby.util.Base64;
+
public class PublicKeyReader {
public static PublicKey loadPublicKey(InputStream in) throws Exception {
+ byte[] keyBytes = IOUtils.toByteArray(in);
+
try {
- BufferedReader br = new BufferedReader(new InputStreamReader(in, StandardCharsets.UTF_8));
- String readLine = null;
- StringBuilder sb = new StringBuilder();
- while ((readLine = br.readLine()) != null) {
- if (readLine.charAt(0) == '-') {
- continue;
- } else {
- sb.append(readLine);
- sb.append('\r');
- }
- }
- return loadPublicKey(sb.toString());
- } catch (IOException e) {
- throw e;
- } catch (NullPointerException e) {
- throw e;
+ return loadPublicKey(keyBytes);
+ } catch (InvalidKeySpecException ex) {
+ // It might be a Certificate and not a PublicKey...
+ Certificate cert =
+ CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(keyBytes));
+ return cert.getPublicKey();
}
}
- public static PublicKey loadPublicKey(String publicKeyStr) throws Exception {
- try {
+ public static PublicKey loadPublicKey(byte[] publicKeyBytes) throws Exception {
+ String pubKey = new String(publicKeyBytes, "UTF-8");
+ if (pubKey.startsWith("-----BEGIN PUBLIC KEY-----")) {
+ // PEM format
+ pubKey = pubKey.replace("-----BEGIN PUBLIC KEY-----", "");
+ pubKey = pubKey.replace("-----END PUBLIC KEY-----", "");
+
Base64 base64 = new Base64();
- byte[] buffer = base64.decode(publicKeyStr);
+ byte[] buffer = base64.decode(pubKey.trim());
+
KeyFactory keyFactory = KeyFactory.getInstance("RSA");
X509EncodedKeySpec keySpec = new X509EncodedKeySpec(buffer);
return keyFactory.generatePublic(keySpec);
- } catch (NoSuchAlgorithmException e) {
- throw e;
- } catch (InvalidKeySpecException e) {
- throw e;
- } catch (NullPointerException e) {
- throw e;
+ } else {
+ // DER format
+ KeyFactory keyFactory = KeyFactory.getInstance("RSA");
+ X509EncodedKeySpec keySpec = new X509EncodedKeySpec(publicKeyBytes);
+ return keyFactory.generatePublic(keySpec);
}
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/a2beb881/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index 7e6967f..3aeef2a 100644
--- a/pom.xml
+++ b/pom.xml
@@ -49,6 +49,7 @@
<properties>
<apacheds.version>2.0.0-M21</apacheds.version>
<bouncycastle.version>1.54</bouncycastle.version>
+ <commons-io.version>2.5</commons-io.version>
<gson.version>2.6.2</gson.version>
<ldap.api.version>1.0.0-M33</ldap.api.version>
<log4j.version>1.2.17</log4j.version>
[02/50] [abbrv] directory-kerby git commit: Add the copyright in
NOTICE.
Posted by co...@apache.org.
Add the copyright in NOTICE.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/27aeb3ce
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/27aeb3ce
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/27aeb3ce
Branch: refs/heads/gssapi
Commit: 27aeb3cef246ebf522efb97020df8e36c4e2380c
Parents: 2d5b3d0
Author: plusplusjiajia <ji...@intel.com>
Authored: Tue May 24 16:33:08 2016 +0800
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 12:25:02 2017 +0100
----------------------------------------------------------------------
NOTICE.txt | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/27aeb3ce/NOTICE.txt
----------------------------------------------------------------------
diff --git a/NOTICE.txt b/NOTICE.txt
index 5d797ab..e3bad4e 100644
--- a/NOTICE.txt
+++ b/NOTICE.txt
@@ -6,5 +6,13 @@ The Apache Software Foundation (http://www.apache.org/).
This product includes/uses SLF4J (http://www.slf4j.org/)
+Copyright (c) 2004-2016 QOS.ch
-This product includes/uses JUnit (http://www.junit.org/
\ No newline at end of file
+This product includes/uses JUnit (http://www.junit.org/)
+Copyright (c) 2002-2016 JUnit.
+
+This product includes/uses Gson (https://github.com/google/gson)
+Copyright (c) 2008 Google Inc.
+
+This product includes/uses Netty (http://netty.io/)
+Copyright (c) 2016 The Netty project
\ No newline at end of file
[17/50] [abbrv] directory-kerby git commit: DIRKRB-552 Fail to
restart KdcServer.
Posted by co...@apache.org.
DIRKRB-552 Fail to restart KdcServer.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/71becf75
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/71becf75
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/71becf75
Branch: refs/heads/gssapi
Commit: 71becf750615c1694b787ac8834dd2a6d006e026
Parents: 223e457
Author: plusplusjiajia <ji...@intel.com>
Authored: Mon May 23 16:58:23 2016 +0800
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 12:25:02 2017 +0100
----------------------------------------------------------------------
.../kerberos/kdc/impl/NettyKdcNetwork.java | 10 +++++
.../kerberos/kdc/impl/NettyKdcServerImpl.java | 14 ++++++-
kerby-kerb/kerb-kdc-test/pom.xml | 6 +++
.../RepeatLoginWithDefaultKdcNetworkTest.java | 34 ++++++++++++++++
.../RepeatLoginWithNettyKdcNetworkTest.java | 43 ++++++++++++++++++++
.../impl/DefaultInternalKdcServerImpl.java | 19 ++++++++-
6 files changed, 124 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/71becf75/kerby-kdc/src/main/java/org/apache/kerby/kerberos/kdc/impl/NettyKdcNetwork.java
----------------------------------------------------------------------
diff --git a/kerby-kdc/src/main/java/org/apache/kerby/kerberos/kdc/impl/NettyKdcNetwork.java b/kerby-kdc/src/main/java/org/apache/kerby/kerberos/kdc/impl/NettyKdcNetwork.java
index cfa4adb..1740432 100644
--- a/kerby-kdc/src/main/java/org/apache/kerby/kerberos/kdc/impl/NettyKdcNetwork.java
+++ b/kerby-kdc/src/main/java/org/apache/kerby/kerberos/kdc/impl/NettyKdcNetwork.java
@@ -126,5 +126,15 @@ public class NettyKdcNetwork {
if (udpAddress != null) {
group.shutdownGracefully();
}
+
+ try {
+ bossGroup.terminationFuture().sync();
+ workerGroup.terminationFuture().sync();
+ if (udpAddress != null) {
+ group.terminationFuture().sync();
+ }
+ } catch (InterruptedException e) {
+ e.printStackTrace();
+ }
}
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/71becf75/kerby-kdc/src/main/java/org/apache/kerby/kerberos/kdc/impl/NettyKdcServerImpl.java
----------------------------------------------------------------------
diff --git a/kerby-kdc/src/main/java/org/apache/kerby/kerberos/kdc/impl/NettyKdcServerImpl.java b/kerby-kdc/src/main/java/org/apache/kerby/kerberos/kdc/impl/NettyKdcServerImpl.java
index 9a795f0..5c527f1 100644
--- a/kerby-kdc/src/main/java/org/apache/kerby/kerberos/kdc/impl/NettyKdcServerImpl.java
+++ b/kerby-kdc/src/main/java/org/apache/kerby/kerberos/kdc/impl/NettyKdcServerImpl.java
@@ -29,6 +29,7 @@ import org.slf4j.LoggerFactory;
import java.net.InetSocketAddress;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
+import java.util.concurrent.TimeUnit;
/**
* A Netty based KDC server implementation.
@@ -81,7 +82,18 @@ public class NettyKdcServerImpl extends AbstractInternalKdcServer {
network.stop();
- executor.shutdownNow();
+ executor.shutdown();
+
+ try {
+ boolean terminated = false;
+ do {
+ // wait until the pool has terminated
+ terminated = executor.awaitTermination(60, TimeUnit.SECONDS);
+ } while (!terminated);
+ } catch (InterruptedException e) {
+ executor.shutdownNow();
+ LOG.warn("waitForTermination interrupted");
+ }
LOG.info("Netty kdc server stopped.");
}
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/71becf75/kerby-kerb/kerb-kdc-test/pom.xml
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-kdc-test/pom.xml b/kerby-kerb/kerb-kdc-test/pom.xml
index 3f01e59..b471f3a 100644
--- a/kerby-kerb/kerb-kdc-test/pom.xml
+++ b/kerby-kerb/kerb-kdc-test/pom.xml
@@ -63,6 +63,12 @@
<version>${slf4j.version}</version>
<scope>test</scope>
</dependency>
+ <dependency>
+ <groupId>org.apache.kerby</groupId>
+ <artifactId>kerby-kdc</artifactId>
+ <version>1.0.0-RC3-SNAPSHOT</version>
+ <scope>test</scope>
+ </dependency>
</dependencies>
<build>
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/71becf75/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/RepeatLoginWithDefaultKdcNetworkTest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/RepeatLoginWithDefaultKdcNetworkTest.java b/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/RepeatLoginWithDefaultKdcNetworkTest.java
new file mode 100644
index 0000000..8ce8e71
--- /dev/null
+++ b/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/RepeatLoginWithDefaultKdcNetworkTest.java
@@ -0,0 +1,34 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.server;
+
+import org.junit.Test;
+
+public class RepeatLoginWithDefaultKdcNetworkTest extends LoginTestBase {
+ @Test
+ public void testLogin() throws Exception {
+ checkSubject(super.loginServiceUsingKeytab());
+ }
+
+ @Test
+ public void testLoginSecondTime() throws Exception {
+ checkSubject(super.loginServiceUsingKeytab());
+ }
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/71becf75/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/RepeatLoginWithNettyKdcNetworkTest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/RepeatLoginWithNettyKdcNetworkTest.java b/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/RepeatLoginWithNettyKdcNetworkTest.java
new file mode 100644
index 0000000..e82db7b
--- /dev/null
+++ b/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/RepeatLoginWithNettyKdcNetworkTest.java
@@ -0,0 +1,43 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.server;
+
+import org.apache.kerby.kerberos.kdc.impl.NettyKdcServerImpl;
+import org.apache.kerby.kerberos.kerb.KrbException;
+import org.junit.Test;
+
+public class RepeatLoginWithNettyKdcNetworkTest extends LoginTestBase {
+ @Override
+ protected void prepareKdc() throws KrbException {
+ getKdcServer().setInnerKdcImpl(
+ new NettyKdcServerImpl(getKdcServer().getKdcSetting()));
+ super.prepareKdc();
+ }
+
+ @Test
+ public void testLogin() throws Exception {
+ checkSubject(super.loginServiceUsingKeytab());
+ }
+
+ @Test
+ public void testLoginSecondTime() throws Exception {
+ checkSubject(super.loginServiceUsingKeytab());
+ }
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/71becf75/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/impl/DefaultInternalKdcServerImpl.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/impl/DefaultInternalKdcServerImpl.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/impl/DefaultInternalKdcServerImpl.java
index dec1221..3ffd877 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/impl/DefaultInternalKdcServerImpl.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/impl/DefaultInternalKdcServerImpl.java
@@ -26,14 +26,18 @@ import org.apache.kerby.kerberos.kerb.server.preauth.PreauthHandler;
import org.apache.kerby.kerberos.kerb.transport.KdcNetwork;
import org.apache.kerby.kerberos.kerb.transport.KrbTransport;
import org.apache.kerby.kerberos.kerb.transport.TransportPair;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
+import java.util.concurrent.TimeUnit;
/**
* A default KDC server implementation.
*/
public class DefaultInternalKdcServerImpl extends AbstractInternalKdcServer {
+ private static final Logger LOG = LoggerFactory.getLogger(DefaultInternalKdcServerImpl.class);
private ExecutorService executor;
private KdcContext kdcContext;
private KdcNetwork network;
@@ -78,6 +82,19 @@ public class DefaultInternalKdcServerImpl extends AbstractInternalKdcServer {
network.stop();
- executor.shutdownNow();
+ executor.shutdown();
+
+ try {
+ boolean terminated = false;
+ do {
+ // wait until the pool has terminated
+ terminated = executor.awaitTermination(60, TimeUnit.SECONDS);
+ } while (!terminated);
+ } catch (InterruptedException e) {
+ executor.shutdownNow();
+ LOG.warn("waitForTermination interrupted");
+ }
+
+ LOG.info("Default Internal kdc server stopped.");
}
}
[07/50] [abbrv] directory-kerby git commit: Fix kdc can't set backend
in unit tests.
Posted by co...@apache.org.
Fix kdc can't set backend in unit tests.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/2dde1f7b
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/2dde1f7b
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/2dde1f7b
Branch: refs/heads/gssapi
Commit: 2dde1f7b30300759c4daad9a1d0939127aa85017
Parents: d309a01
Author: plusplusjiajia <ji...@intel.com>
Authored: Fri Apr 22 11:00:00 2016 +0800
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 12:25:02 2017 +0100
----------------------------------------------------------------------
.../java/org/apache/kerby/kerberos/kdc/JsonBackendKdcTest.java | 2 +-
.../java/org/apache/kerby/kerberos/kdc/LdapBackendKdcTest.java | 2 +-
.../org/apache/kerby/kerberos/kdc/ZookeeperBackendKdcTest.java | 4 ++--
.../kerby/kerberos/kerb/integration/test/SaslAppTest.java | 5 ++---
4 files changed, 6 insertions(+), 7 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/2dde1f7b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/JsonBackendKdcTest.java
----------------------------------------------------------------------
diff --git a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/JsonBackendKdcTest.java b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/JsonBackendKdcTest.java
index 1292aa9..9247e3e 100644
--- a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/JsonBackendKdcTest.java
+++ b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/JsonBackendKdcTest.java
@@ -33,7 +33,6 @@ public class JsonBackendKdcTest extends KerbyKdcTest {
@Override
protected void prepareKdc() throws KrbException {
- super.prepareKdc();
File testDir = new File(System.getProperty("test.dir", "target"));
jsonBackendFile = new File(testDir, "json-backend-file");
@@ -44,6 +43,7 @@ public class JsonBackendKdcTest extends KerbyKdcTest {
JsonIdentityBackend.JSON_IDENTITY_BACKEND_DIR, jsonBackendFileString);
backendConfig.setString(KdcConfigKey.KDC_IDENTITY_BACKEND,
"org.apache.kerby.kerberos.kdc.identitybackend.JsonIdentityBackend");
+ super.prepareKdc();
}
@Test
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/2dde1f7b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/LdapBackendKdcTest.java
----------------------------------------------------------------------
diff --git a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/LdapBackendKdcTest.java b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/LdapBackendKdcTest.java
index b367c5a..d3f20ae 100644
--- a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/LdapBackendKdcTest.java
+++ b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/LdapBackendKdcTest.java
@@ -87,7 +87,6 @@ public class LdapBackendKdcTest extends AbstractLdapBackendKdcTest {
@Override
protected void prepareKdc() throws KrbException {
- super.prepareKdc();
BackendConfig backendConfig = getKdcServer().getBackendConfig();
backendConfig.setString("host", "localhost");
backendConfig.setString("admin_dn", ADMIN_DN);
@@ -96,6 +95,7 @@ public class LdapBackendKdcTest extends AbstractLdapBackendKdcTest {
backendConfig.setInt("port", getLdapServer().getPort());
backendConfig.setString(KdcConfigKey.KDC_IDENTITY_BACKEND,
"org.apache.kerby.kerberos.kdc.identitybackend.LdapIdentityBackend");
+ super.prepareKdc();
}
@Test
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/2dde1f7b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/ZookeeperBackendKdcTest.java
----------------------------------------------------------------------
diff --git a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/ZookeeperBackendKdcTest.java b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/ZookeeperBackendKdcTest.java
index f7d1251..bface94 100644
--- a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/ZookeeperBackendKdcTest.java
+++ b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/ZookeeperBackendKdcTest.java
@@ -49,8 +49,6 @@ public class ZookeeperBackendKdcTest extends KerbyKdcTest {
@Override
protected void prepareKdc() throws KrbException {
- super.prepareKdc();
-
BackendConfig backendConfig = getKdcServer().getBackendConfig();
File testDir = new File(System.getProperty("test.dir", "target"));
@@ -64,6 +62,8 @@ public class ZookeeperBackendKdcTest extends KerbyKdcTest {
backendConfig.setString(ZKConfKey.DATA_LOG_DIR.getPropertyKey(), dataLogDir.getAbsolutePath());
backendConfig.setString(KdcConfigKey.KDC_IDENTITY_BACKEND,
"org.apache.kerby.kerberos.kdc.identitybackend.ZookeeperIdentityBackend");
+
+ super.prepareKdc();
}
@Test
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/2dde1f7b/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/SaslAppTest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/SaslAppTest.java b/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/SaslAppTest.java
index 68d34cd..e7e6dba 100644
--- a/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/SaslAppTest.java
+++ b/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/SaslAppTest.java
@@ -21,6 +21,7 @@ package org.apache.kerby.kerberos.kerb.integration.test;
import org.apache.kerby.kerberos.kerb.integration.test.sasl.SaslAppClient;
import org.apache.kerby.kerberos.kerb.integration.test.sasl.SaslAppServer;
+import org.junit.Test;
public class SaslAppTest extends AppTest {
@@ -43,9 +44,7 @@ public class SaslAppTest extends AppTest {
});
}
- @SuppressWarnings("PMD")
- //@Test
- //TODO: not robust enough, with "ICMP Port Unreachable" exception.
+ @Test
public void test() throws Exception {
runAppClient();
}
[03/50] [abbrv] directory-kerby git commit: DIRKRB-575 SaslAppTest
failure due to input having nothing to do with test. Contributed by Gerard
Gagliano.
Posted by co...@apache.org.
DIRKRB-575 SaslAppTest failure due to input having nothing to do with test. Contributed by Gerard Gagliano.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/1877087b
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/1877087b
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/1877087b
Branch: refs/heads/gssapi
Commit: 1877087b96bd7d3448b5420ace57c6105d509ad6
Parents: 9210235
Author: plusplusjiajia <ji...@intel.com>
Authored: Fri May 27 09:39:50 2016 +0800
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 12:25:02 2017 +0100
----------------------------------------------------------------------
.../kerby/kerberos/kerb/server/KdcTestBase.java | 17 ++++++++++++++---
1 file changed, 14 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/1877087b/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/KdcTestBase.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/KdcTestBase.java b/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/KdcTestBase.java
index 9e8424f..c4a87be 100644
--- a/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/KdcTestBase.java
+++ b/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/KdcTestBase.java
@@ -30,21 +30,32 @@ import org.junit.BeforeClass;
import java.io.File;
import java.io.IOException;
+import java.net.InetAddress;
+import java.net.UnknownHostException;
public abstract class KdcTestBase {
private static File testDir;
private final String clientPassword = "123456";
- private final String hostname = "localhost";
+ private String hostname;
private final String clientPrincipalName = "drankye";
private final String clientPrincipal =
clientPrincipalName + "@" + TestKdcServer.KDC_REALM;
private final String serverPrincipalName = "test-service";
- private final String serverPrincipal =
- serverPrincipalName + "/" + hostname + "@" + TestKdcServer.KDC_REALM;
+ private final String serverPrincipal;
private SimpleKdcServer kdcServer;
+ public KdcTestBase() {
+ try {
+ hostname = InetAddress.getByName("127.0.0.1").getHostName();
+ } catch (UnknownHostException e) {
+ hostname = "localhost";
+ }
+ serverPrincipal =
+ serverPrincipalName + "/" + hostname + "@" + TestKdcServer.KDC_REALM;
+ }
+
@BeforeClass
public static void createTestDir() throws IOException {
String basedir = System.getProperty("basedir");
[08/50] [abbrv] directory-kerby git commit: Add some logs of issuing
ticket.
Posted by co...@apache.org.
Add some logs of issuing ticket.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/5cb6d17e
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/5cb6d17e
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/5cb6d17e
Branch: refs/heads/gssapi
Commit: 5cb6d17e13c1c77e0a69525c6cd553301455e719
Parents: 22b271a
Author: plusplusjiajia <ji...@intel.com>
Authored: Tue May 3 15:36:35 2016 +0800
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 12:25:02 2017 +0100
----------------------------------------------------------------------
.../apache/kerby/kerberos/kerb/server/request/AsRequest.java | 3 +++
.../apache/kerby/kerberos/kerb/server/request/KdcRequest.java | 4 +++-
.../apache/kerby/kerberos/kerb/server/request/TgsRequest.java | 6 ++++++
3 files changed, 12 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/5cb6d17e/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/AsRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/AsRequest.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/AsRequest.java
index 66fdac5..7cb7dbb 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/AsRequest.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/AsRequest.java
@@ -109,6 +109,9 @@ public class AsRequest extends KdcRequest {
protected void issueTicket() throws KrbException {
TicketIssuer issuer = new TgtTicketIssuer(this);
Ticket newTicket = issuer.issueTicket();
+ LOG.info("AS_REQ ISSUE: authtime " + newTicket.getEncPart().getAuthTime().getTime() + ","
+ + newTicket.getEncPart().getCname() + " for "
+ + newTicket.getSname());
setTicket(newTicket);
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/5cb6d17e/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
index 8203501..e374734 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
@@ -167,7 +167,8 @@ public abstract class KdcRequest {
checkVersion();
checkTgsEntry();
kdcFindFast();
- authenticate();
+ checkEncryptionType();
+
if (PreauthHandler.isToken(getKdcReq().getPaData())) {
isToken = true;
preauth();
@@ -181,6 +182,7 @@ public abstract class KdcRequest {
checkServer();
preauth();
}
+ checkPolicy();
issueTicket();
makeReply();
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/5cb6d17e/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java
index 941ef9f..21ff6fb 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java
@@ -49,10 +49,13 @@ import org.apache.kerby.kerberos.kerb.type.pa.PaDataEntry;
import org.apache.kerby.kerberos.kerb.type.ticket.EncTicketPart;
import org.apache.kerby.kerberos.kerb.type.ticket.Ticket;
import org.apache.kerby.kerberos.kerb.type.ticket.TicketFlag;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
import java.nio.ByteBuffer;
public class TgsRequest extends KdcRequest {
+ private static final Logger LOG = LoggerFactory.getLogger(TgsRequest.class);
private EncryptionKey tgtSessionKey;
private Ticket tgtTicket;
@@ -109,6 +112,9 @@ public class TgsRequest extends KdcRequest {
protected void issueTicket() throws KrbException {
TicketIssuer issuer = new ServiceTicketIssuer(this);
Ticket newTicket = issuer.issueTicket();
+ LOG.info("TGS_REQ ISSUE: authtime " + newTicket.getEncPart().getAuthTime().getTime() + ","
+ + newTicket.getEncPart().getCname() + " for "
+ + newTicket.getSname());
setTicket(newTicket);
}
[34/50] [abbrv] directory-kerby git commit: Adding @Ignore'd GSS
interop testcase
Posted by co...@apache.org.
Adding @Ignore'd GSS interop testcase
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/44db3213
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/44db3213
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/44db3213
Branch: refs/heads/gssapi
Commit: 44db32137ed48799d150c0ce9703bde77ba8f3a0
Parents: a5ddca4
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Tue Jun 28 14:57:23 2016 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 12:25:51 2017 +0100
----------------------------------------------------------------------
.../kerberos/kerb/server/GssInteropTest.java | 52 +++++++++++++++++---
1 file changed, 46 insertions(+), 6 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/44db3213/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/GssInteropTest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/GssInteropTest.java b/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/GssInteropTest.java
index 832d59d..7e0d269 100644
--- a/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/GssInteropTest.java
+++ b/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/GssInteropTest.java
@@ -19,6 +19,20 @@
*/
package org.apache.kerby.kerberos.kerb.server;
+import java.io.ByteArrayOutputStream;
+import java.security.Principal;
+import java.security.PrivilegedExceptionAction;
+import java.util.Set;
+
+import javax.security.auth.Subject;
+import javax.security.auth.kerberos.KerberosTicket;
+
+import org.apache.kerby.kerberos.kerb.ccache.CredCacheOutputStream;
+import org.apache.kerby.kerberos.kerb.ccache.Credential;
+import org.apache.kerby.kerberos.kerb.ccache.CredentialCache;
+import org.apache.kerby.kerberos.kerb.client.KrbClient;
+import org.apache.kerby.kerberos.kerb.type.ticket.SgtTicket;
+import org.apache.kerby.kerberos.kerb.type.ticket.TgtTicket;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
@@ -28,12 +42,6 @@ import org.ietf.jgss.Oid;
import org.junit.Assert;
import org.junit.Test;
-import javax.security.auth.Subject;
-import javax.security.auth.kerberos.KerberosTicket;
-import java.security.Principal;
-import java.security.PrivilegedExceptionAction;
-import java.util.Set;
-
/**
* This is an interop test using the Java GSS APIs against the Kerby KDC
*/
@@ -62,6 +70,38 @@ public class GssInteropTest extends LoginTestBase {
validateServiceTicket(kerberosToken);
}
+
+ @Test
+ @org.junit.Ignore
+ public void testKerbyClientAndGssService() throws Exception {
+ KrbClient client = getKrbClient();
+ client.init();
+
+ try {
+ // Get a service ticket using Kerby APIs
+ TgtTicket tgt = client.requestTgt(getClientPrincipal(), getClientPassword());
+ Assert.assertTrue(tgt != null);
+
+ SgtTicket tkt = client.requestSgt(tgt, getServerPrincipal());
+ Assert.assertTrue(tkt != null);
+
+ Credential credential = new Credential(tkt, tgt.getClientPrincipal());
+ CredentialCache cCache = new CredentialCache();
+ cCache.addCredential(credential);
+ cCache.setPrimaryPrincipal(tgt.getClientPrincipal());
+
+ ByteArrayOutputStream bout = new ByteArrayOutputStream();
+ CredCacheOutputStream os = new CredCacheOutputStream(bout);
+ cCache.store(bout);
+ os.close();
+
+ // Now validate the ticket using GSS
+ validateServiceTicket(bout.toByteArray());
+ } catch (Exception e) {
+ e.printStackTrace();
+ Assert.fail();
+ }
+ }
private void validateServiceTicket(byte[] ticket) throws Exception {
Subject serviceSubject = loginServiceUsingKeytab();
[20/50] [abbrv] directory-kerby git commit: Revert "DIRKRB-569 Add
unit test of multiple KDCs for a given realm in client. Contributed by Wei."
Posted by co...@apache.org.
Revert "DIRKRB-569 Add unit test of multiple KDCs for a given realm in client. Contributed by Wei."
This reverts commit 66f6f17dacf9c19d56241e97ffdebacb3eed6e6e.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/426d3ec5
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/426d3ec5
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/426d3ec5
Branch: refs/heads/gssapi
Commit: 426d3ec5e0c108c96d6a9c24ba00842447529a1c
Parents: 0cac9c4
Author: plusplusjiajia <ji...@intel.com>
Authored: Fri May 13 15:54:42 2016 +0800
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 12:25:02 2017 +0100
----------------------------------------------------------------------
.../kerby/kerberos/kerb/request/ApRequest.java | 11 +--
.../kerberos/kerb/gssapi/KerbyMechFactory.java | 9 +-
.../kerberos/kerb/gssapi/krb5/KerbyContext.java | 96 ++------------------
3 files changed, 18 insertions(+), 98 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/426d3ec5/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java
index 44f5b47..096b0de 100644
--- a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java
@@ -89,11 +89,8 @@ public class ApRequest {
authenticator.setAuthenticatorVno(5);
authenticator.setCname(clientPrincipal);
authenticator.setCrealm(sgtTicket.getRealm());
- long millis = System.currentTimeMillis();
- int usec = (int) (millis % 1000) * 1000;
- millis -= millis % 1000;
- authenticator.setCtime(new KerberosTime(millis));
- authenticator.setCusec(usec);
+ authenticator.setCtime(KerberosTime.now());
+ authenticator.setCusec(0);
authenticator.setSubKey(sgtTicket.getSessionKey());
return authenticator;
@@ -141,13 +138,13 @@ public class ApRequest {
}
if (timeSkew != 0) {
- if (!authenticator.getCtime().isInClockSkew(timeSkew)) {
+ if (authenticator.getCtime().isInClockSkew(timeSkew)) {
throw new KrbException(KrbErrorCode.KRB_AP_ERR_SKEW);
}
KerberosTime now = KerberosTime.now();
KerberosTime startTime = tktEncPart.getStartTime();
- if (startTime != null && !startTime.lessThanWithSkew(now, timeSkew)) {
+ if (startTime != null && startTime.greaterThanWithSkew(now, timeSkew)) {
throw new KrbException(KrbErrorCode.KRB_AP_ERR_TKT_NYV);
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/426d3ec5/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/KerbyMechFactory.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/KerbyMechFactory.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/KerbyMechFactory.java
index adacb27..a897c29 100644
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/KerbyMechFactory.java
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/KerbyMechFactory.java
@@ -20,7 +20,6 @@
package org.apache.kerby.kerberos.kerb.gssapi;
import org.apache.kerby.kerberos.kerb.gssapi.krb5.KerbyAcceptCred;
-import org.apache.kerby.kerberos.kerb.gssapi.krb5.KerbyContext;
import org.apache.kerby.kerberos.kerb.gssapi.krb5.KerbyCredElement;
import org.apache.kerby.kerberos.kerb.gssapi.krb5.KerbyInitCred;
import org.apache.kerby.kerberos.kerb.gssapi.krb5.KerbyNameElement;
@@ -91,7 +90,9 @@ public class KerbyMechFactory implements MechanismFactory {
if (myInitiatorCred == null) {
myInitiatorCred = getCredentialElement(null, lifetime, 0, GSSCredential.INITIATE_ONLY);
}
- return new KerbyContext(caller, (KerbyNameElement) peer, (KerbyInitCred) myInitiatorCred, lifetime);
+ return null;
+ //For convenience of making patch, return null instead of introduce in KerbyContext
+ //return new KerbyContext(caller, (KerbyNameElement)peer, (KerbyInitCred)myInitiatorCred, lifetime);
}
public GSSContextSpi getMechanismContext(GSSCredentialSpi myAcceptorCred)
@@ -100,13 +101,13 @@ public class KerbyMechFactory implements MechanismFactory {
myAcceptorCred = getCredentialElement(null, 0,
GSSCredential.INDEFINITE_LIFETIME, GSSCredential.ACCEPT_ONLY);
}
- return new KerbyContext(caller, (KerbyAcceptCred) myAcceptorCred);
+ return null; //return new KerbyContext(caller, (KerbyAcceptCred)myAcceptorCred);
}
// Reconstruct from previously exported context
public GSSContextSpi getMechanismContext(byte[] exportedContext)
throws GSSException {
- return new KerbyContext(caller, exportedContext);
+ return null; //return new KerbyContext(caller, exportedContext);
}
public GSSCredentialSpi getCredentialElement(GSSNameSpi name,
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/426d3ec5/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
index 1496cac..b450cc9 100644
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
@@ -424,8 +424,7 @@ public class KerbyContext implements GSSContextSpi {
}
try {
- ApRequest.validate(serverKey, apReq,
- channelBinding == null ? null : channelBinding.getInitiatorAddress(), 5 * 60 * 1000);
+ ApRequest.validate(serverKey, apReq, channelBinding.getInitiatorAddress(), 5 * 60 * 1000);
} catch (KrbException e) {
throw new GSSException(GSSException.UNAUTHORIZED, -1, "ApReq verification failed: " + e.getMessage());
}
@@ -477,20 +476,7 @@ public class KerbyContext implements GSSContextSpi {
if (ctxState != STATE_ESTABLISHED) {
throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for wrap");
}
-
- int len;
- byte[] inBuf;
- try {
- len = is.available();
- inBuf = new byte[len];
- is.read(inBuf);
- } catch (IOException e) {
- throw new GSSException(GSSException.FAILURE, -1, "Error when get user data:" + e.getMessage());
- }
- if (gssEncryptor.isV2()) {
- WrapTokenV2 token = new WrapTokenV2(this, inBuf, 0, len, msgProp);
- token.wrap(os);
- }
+ throw new GSSException(GSSException.UNAVAILABLE, -1, "Unsupported method"); // TODO: to be implemented
}
public byte[] wrap(byte[] inBuf, int offset, int len,
@@ -498,24 +484,12 @@ public class KerbyContext implements GSSContextSpi {
if (ctxState != STATE_ESTABLISHED) {
throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for wrap");
}
- byte[] ret = null;
- if (gssEncryptor.isV2()) {
- WrapTokenV2 token = new WrapTokenV2(this, inBuf, offset, len, msgProp);
- ret = token.wrap();
- }
- return ret;
+ return null; // TODO: to be implemented
}
public void unwrap(InputStream is, OutputStream os,
MessageProp msgProp) throws GSSException {
- if (ctxState != STATE_ESTABLISHED) {
- throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for unwrap");
- }
-
- if (gssEncryptor.isV2()) {
- WrapTokenV2 token = new WrapTokenV2(this, msgProp, is);
- token.unwrap(os);
- }
+ throw new GSSException(GSSException.UNAVAILABLE, -1, "Unsupported method"); // TODO: to be implemented
}
public byte[] unwrap(byte[] inBuf, int offset, int len,
@@ -523,82 +497,30 @@ public class KerbyContext implements GSSContextSpi {
if (ctxState != STATE_ESTABLISHED) {
throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for unwrap");
}
-
- byte[] ret = null;
- if (gssEncryptor.isV2()) {
- WrapTokenV2 token = new WrapTokenV2(this, msgProp, inBuf, offset, len);
- ret = token.unwrap();
- }
- return ret;
+ return null; // TODO: to be implemented
}
public void getMIC(InputStream is, OutputStream os,
- MessageProp msgProp) throws GSSException {
- if (ctxState != STATE_ESTABLISHED) {
- throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for getMIC");
- }
-
- try {
- int len = is.available();
- byte[] inMsg = new byte[len];
- is.read(inMsg);
- if (gssEncryptor.isV2()) {
- MicTokenV2 token = new MicTokenV2(this, inMsg, 0, len, msgProp);
- token.getMic(os);
- }
- } catch (IOException e) {
- throw new GSSException(GSSException.FAILURE, -1, "Error when get user data in getMIC:" + e.getMessage());
- }
+ MessageProp msgProp)
+ throws GSSException {
}
public byte[] getMIC(byte[] inMsg, int offset, int len,
MessageProp msgProp) throws GSSException {
- if (ctxState != STATE_ESTABLISHED) {
- throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for getMIC");
- }
-
- byte[] ret = null;
- if (gssEncryptor.isV2()) {
- MicTokenV2 token = new MicTokenV2(this, inMsg, offset, len, msgProp);
- ret = token.getMic();
- }
- return ret;
+ return null; // TODO: to be implemented
}
public void verifyMIC(InputStream is, InputStream msgStr,
MessageProp msgProp) throws GSSException {
- if (ctxState != STATE_ESTABLISHED) {
- throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for verifyMIC");
- }
-
- try {
- int tokLen = is.available();
- byte[] inTok = new byte[tokLen];
- int msgLen = msgStr.available();
- byte[] inMsg = new byte[msgLen];
-
- verifyMIC(inTok, 0, tokLen, inMsg, 0, msgLen, msgProp);
- } catch (IOException e) {
- throw new GSSException(GSSException.FAILURE, -1,
- "Error when get user data in verifyMIC:" + e.getMessage());
- }
}
public void verifyMIC(byte[]inTok, int tokOffset, int tokLen,
byte[] inMsg, int msgOffset, int msgLen,
MessageProp msgProp) throws GSSException {
- if (ctxState != STATE_ESTABLISHED) {
- throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for verifyMIC");
- }
-
- if (gssEncryptor.isV2()) {
- MicTokenV2 token = new MicTokenV2(this, msgProp, inTok, tokOffset, tokLen);
- token.verify(inMsg, msgOffset, msgLen);
- }
}
public byte[] export() throws GSSException {
- throw new GSSException(GSSException.UNAVAILABLE, -1, "Unsupported export() method");
+ throw new GSSException(GSSException.UNAVAILABLE, -1, "Unsupported export method");
}
public void dispose() throws GSSException {
[33/50] [abbrv] directory-kerby git commit: Removing unnecessary
warning
Posted by co...@apache.org.
Removing unnecessary warning
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/42dc8659
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/42dc8659
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/42dc8659
Branch: refs/heads/gssapi
Commit: 42dc86590eaa214a6629a2f58fa35910defd914d
Parents: 35117e2
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Thu Jun 9 15:34:37 2016 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 12:25:51 2017 +0100
----------------------------------------------------------------------
.../java/org/apache/kerby/kerberos/provider/token/TokenTest.java | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/42dc8659/kerby-provider/token-provider/src/test/java/org/apache/kerby/kerberos/provider/token/TokenTest.java
----------------------------------------------------------------------
diff --git a/kerby-provider/token-provider/src/test/java/org/apache/kerby/kerberos/provider/token/TokenTest.java b/kerby-provider/token-provider/src/test/java/org/apache/kerby/kerberos/provider/token/TokenTest.java
index d733fde..b74b373 100644
--- a/kerby-provider/token-provider/src/test/java/org/apache/kerby/kerberos/provider/token/TokenTest.java
+++ b/kerby-provider/token-provider/src/test/java/org/apache/kerby/kerberos/provider/token/TokenTest.java
@@ -208,8 +208,8 @@ public class TokenTest {
Assertions.assertThat(token2).isNull();
}
- @SuppressWarnings("PMD")
- //@Test
+ @Test
+ @org.junit.Ignore
// TODO: building error with openjdk8: NoSuchAlgorithm EC KeyPairGenerato..
public void testTokenWithECDSASignedJWT() throws Exception {
TokenEncoder tokenEncoder = KrbRuntime.getTokenProvider().createTokenEncoder();
[32/50] [abbrv] directory-kerby git commit: DIRKRB-579 KRB_PRIV
message type support.
Posted by co...@apache.org.
DIRKRB-579 KRB_PRIV message type support.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/c1a8e516
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/c1a8e516
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/c1a8e516
Branch: refs/heads/gssapi
Commit: c1a8e516d68bfbcd302047075d1be1f6e757f610
Parents: 0935dba
Author: plusplusjiajia <ji...@intel.com>
Authored: Tue Jun 7 10:02:38 2016 +0800
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 12:25:51 2017 +0100
----------------------------------------------------------------------
.../kerberos/kerb/type/EncKrbPrivPart.java | 122 +++++++++++++++++++
.../kerby/kerberos/kerb/type/KrbPriv.java | 94 ++++++++++++++
2 files changed, 216 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/c1a8e516/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/EncKrbPrivPart.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/EncKrbPrivPart.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/EncKrbPrivPart.java
new file mode 100644
index 0000000..bccd83c
--- /dev/null
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/EncKrbPrivPart.java
@@ -0,0 +1,122 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.type;
+
+import org.apache.kerby.asn1.Asn1FieldInfo;
+import org.apache.kerby.asn1.EnumType;
+import org.apache.kerby.asn1.ExplicitField;
+import org.apache.kerby.asn1.type.Asn1Integer;
+import org.apache.kerby.asn1.type.Asn1OctetString;
+import org.apache.kerby.kerberos.kerb.type.base.HostAddress;
+
+/**
+ EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE {
+ user-data[0] OCTET STRING,
+ timestamp[1] KerberosTime OPTIONAL,
+ usec[2] INTEGER OPTIONAL,
+ seq-number[3] INTEGER OPTIONAL,
+ s-address[4] HostAddress, -- sender's addr
+ r-address[5] HostAddress OPTIONAL
+ -- recip's addr
+ }
+ */
+public class EncKrbPrivPart extends KrbAppSequenceType {
+ public static final int TAG = 28;
+
+ protected enum EncKrbPrivPartField implements EnumType {
+ USER_DATA,
+ TIMESTAMP,
+ USEC,
+ SEQ_NUMBER,
+ S_ADDRESS,
+ R_ADDRESS;
+
+ @Override
+ public int getValue() {
+ return ordinal();
+ }
+
+ @Override
+ public String getName() {
+ return name();
+ }
+ }
+
+ static Asn1FieldInfo[] fieldInfos = new Asn1FieldInfo[] {
+ new ExplicitField(EncKrbPrivPart.EncKrbPrivPartField.USER_DATA, Asn1OctetString.class),
+ new ExplicitField(EncKrbPrivPart.EncKrbPrivPartField.TIMESTAMP, KerberosTime.class),
+ new ExplicitField(EncKrbPrivPart.EncKrbPrivPartField.USEC, Asn1Integer.class),
+ new ExplicitField(EncKrbPrivPart.EncKrbPrivPartField.SEQ_NUMBER, Asn1Integer.class),
+ new ExplicitField(EncKrbPrivPart.EncKrbPrivPartField.S_ADDRESS, HostAddress.class),
+ new ExplicitField(EncKrbPrivPart.EncKrbPrivPartField.R_ADDRESS, HostAddress.class)
+ };
+
+ public EncKrbPrivPart() {
+ super(TAG, fieldInfos);
+ }
+
+ public byte[] getUserData() {
+ return getFieldAsOctets(EncKrbPrivPart.EncKrbPrivPartField.USER_DATA);
+ }
+
+ public void setUserData(byte[] userData) {
+ setFieldAsOctets(EncKrbPrivPart.EncKrbPrivPartField.USER_DATA, userData);
+ }
+
+ public KerberosTime getTimeStamp() {
+ return getFieldAsTime(EncKrbPrivPart.EncKrbPrivPartField.TIMESTAMP);
+ }
+
+ public void setTimeStamp(KerberosTime timeStamp) {
+ setFieldAs(EncKrbPrivPart.EncKrbPrivPartField.TIMESTAMP, timeStamp);
+ }
+
+ public int getUsec() {
+ return getFieldAsInt(EncKrbPrivPart.EncKrbPrivPartField.USEC);
+ }
+
+ public void setUsec(int usec) {
+ setFieldAsInt(EncKrbPrivPart.EncKrbPrivPartField.USEC, usec);
+ }
+
+ public int getSeqNumber() {
+ return getFieldAsInt(EncKrbPrivPart.EncKrbPrivPartField.SEQ_NUMBER);
+ }
+
+ public void setSeqNumber(int seqNumber) {
+ setFieldAsInt(EncKrbPrivPart.EncKrbPrivPartField.SEQ_NUMBER, seqNumber);
+ }
+
+ public HostAddress getSAddress() {
+ return getFieldAs(EncKrbPrivPart.EncKrbPrivPartField.S_ADDRESS, HostAddress.class);
+ }
+
+ public void setSAddress(HostAddress hostAddress) {
+ setFieldAs(EncKrbPrivPart.EncKrbPrivPartField.S_ADDRESS, hostAddress);
+ }
+
+ public HostAddress getRAddress() {
+ return getFieldAs(EncKrbPrivPart.EncKrbPrivPartField.R_ADDRESS, HostAddress.class);
+ }
+
+ public void setRAddress(HostAddress hostAddress) {
+ setFieldAs(EncKrbPrivPart.EncKrbPrivPartField.R_ADDRESS, hostAddress);
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/c1a8e516/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/KrbPriv.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/KrbPriv.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/KrbPriv.java
new file mode 100644
index 0000000..0354783
--- /dev/null
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/KrbPriv.java
@@ -0,0 +1,94 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.type;
+
+import org.apache.kerby.asn1.Asn1FieldInfo;
+import org.apache.kerby.asn1.EnumType;
+import org.apache.kerby.asn1.ExplicitField;
+import org.apache.kerby.asn1.type.Asn1Integer;
+import org.apache.kerby.kerberos.kerb.type.base.EncryptedData;
+import org.apache.kerby.kerberos.kerb.type.base.KrbMessage;
+import org.apache.kerby.kerberos.kerb.type.base.KrbMessageType;
+
+/**
+ * The KRB_PRIV message, as defined in RFC 1510 :
+ * The KRB_PRIV message contains user data encrypted in the Session Key.
+ * The message fields are:
+ * <pre>
+ * KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
+ * pvno[0] INTEGER,
+ * msg-type[1] INTEGER,
+ * enc-part[3] EncryptedData
+ * </pre>
+ */
+public class KrbPriv extends KrbMessage {
+ protected enum KrbPrivField implements EnumType {
+ PVNO,
+ MSG_TYPE,
+ ENC_PART;
+
+ /**
+ * {@inheritDoc}
+ */
+ @Override
+ public int getValue() {
+ return ordinal();
+ }
+
+ /**
+ * {@inheritDoc}
+ */
+ @Override
+ public String getName() {
+ return name();
+ }
+ }
+ static Asn1FieldInfo[] fieldInfos = new Asn1FieldInfo[] {
+ new ExplicitField(KrbPriv.KrbPrivField.PVNO, Asn1Integer.class),
+ new ExplicitField(KrbPriv.KrbPrivField.MSG_TYPE, Asn1Integer.class),
+ new ExplicitField(KrbPriv.KrbPrivField.ENC_PART, EncryptedData.class)
+ };
+
+ /**
+ * Creates a new instance of a KRB-PRIv message
+ */
+ public KrbPriv() {
+ super(KrbMessageType.KRB_PRIV, fieldInfos);
+ }
+
+ private EncKrbPrivPart encPart;
+
+ public EncryptedData getEncryptedEncPart() {
+ return getFieldAs(KrbPriv.KrbPrivField.ENC_PART, EncryptedData.class);
+ }
+
+ public void setEncryptedEncPart(EncryptedData encryptedEncPart) {
+ setFieldAs(KrbPriv.KrbPrivField.ENC_PART, encryptedEncPart);
+ }
+
+
+ public EncKrbPrivPart getEncPart() {
+ return encPart;
+ }
+
+ public void setEncPart(EncKrbPrivPart encPart) {
+ this.encPart = encPart;
+ }
+}
[15/50] [abbrv] directory-kerby git commit: DIRKRB-567 Support
multiple KDCs for a given realm in client.
Posted by co...@apache.org.
DIRKRB-567 Support multiple KDCs for a given realm in client.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/2e81a84f
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/2e81a84f
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/2e81a84f
Branch: refs/heads/gssapi
Commit: 2e81a84f4f027bec980979746efa6d3e2f5afb11
Parents: b9a11ae
Author: plusplusjiajia <ji...@intel.com>
Authored: Wed May 11 13:24:23 2016 +0800
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 12:25:02 2017 +0100
----------------------------------------------------------------------
kerby-dist/tool-dist/conf/krb5.conf | 5 +
.../kerby/kerberos/kerb/client/ClientUtil.java | 108 +++++++++++++++++--
.../kerby/kerberos/kerb/client/KrbConfig.java | 32 ++++++
.../kerby/kerberos/kerb/client/KrbHandler.java | 9 +-
.../client/impl/DefaultInternalKrbClient.java | 51 +++++++--
.../kerb/client/impl/DefaultKrbHandler.java | 4 +-
.../kerberos/kerb/client/KrbConfigLoadTest.java | 4 +-
.../kerby/kerberos/kerb/common/Krb5Conf.java | 14 ++-
.../kerby/kerberos/kerb/common/Krb5Parser.java | 35 ++++--
.../kerby/kerberos/kerb/Krb5ParserTest.java | 10 +-
.../kerby/kerberos/kerb/KrbErrorCode.java | 4 +-
.../kerby/kerberos/kerb/server/KdcHandler.java | 9 +-
.../kerb/server/preauth/token/TokenPreauth.java | 4 +-
.../kerberos/kerb/server/SimpleKdcServer.java | 3 +-
14 files changed, 252 insertions(+), 40 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/2e81a84f/kerby-dist/tool-dist/conf/krb5.conf
----------------------------------------------------------------------
diff --git a/kerby-dist/tool-dist/conf/krb5.conf b/kerby-dist/tool-dist/conf/krb5.conf
index e857b84..8e024e3 100644
--- a/kerby-dist/tool-dist/conf/krb5.conf
+++ b/kerby-dist/tool-dist/conf/krb5.conf
@@ -22,3 +22,8 @@
kdc_udp_port = 88
kdc_tcp_port = 88
pkinit_anchors = /etc/krb5/cacert.pem
+
+[realms]
+ EXAMPLE.COM = {
+ kdc = localhost:88
+ }
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/2e81a84f/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/ClientUtil.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/ClientUtil.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/ClientUtil.java
index 7591af5..dd9a3f8 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/ClientUtil.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/ClientUtil.java
@@ -21,15 +21,20 @@ package org.apache.kerby.kerberos.kerb.client;
import org.apache.kerby.kerberos.kerb.KrbException;
import org.apache.kerby.kerberos.kerb.transport.TransportPair;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
import java.io.File;
import java.io.IOException;
import java.net.InetSocketAddress;
+import java.util.ArrayList;
+import java.util.List;
import java.util.Map;
public final class ClientUtil {
private ClientUtil() { }
+ private static final Logger LOG = LoggerFactory.getLogger(ClientUtil.class);
private static final String KRB5_FILE_NAME = "krb5.conf";
private static final String KRB5_ENV_NAME = "KRB5_CONFIG";
@@ -107,24 +112,115 @@ public final class ClientUtil {
/**
* Get KDC network transport addresses according to krb client setting.
* @param setting The krb setting
+ * @param kdcString The kdc string, may include the port number
* @return UDP and TCP addresses pair
* @throws KrbException e
*/
public static TransportPair getTransportPair(
- KrbSetting setting) throws KrbException {
+ KrbSetting setting, String kdcString) throws KrbException, IOException {
TransportPair result = new TransportPair();
-
int tcpPort = setting.checkGetKdcTcpPort();
+ int udpPort = setting.checkGetKdcUdpPort();
+
+ int port = 0;
+ String kdc;
+ String portStr = null;
+
+ // Explicit IPv6 in []
+ if (kdcString.charAt(0) == '[') {
+ int pos = kdcString.indexOf(']', 1);
+ if (pos == -1) {
+ throw new IOException("Illegal KDC: " + kdcString);
+ }
+ kdc = kdcString.substring(1, pos);
+ // with port number
+ if (pos != kdcString.length() - 1) {
+ if (kdcString.charAt(pos + 1) != ':') {
+ throw new IOException("Illegal KDC: " + kdcString);
+ }
+ portStr = kdcString.substring(pos + 2);
+ }
+ } else {
+ int colon = kdcString.indexOf(':');
+ // Hostname or IPv4 host only
+ if (colon == -1) {
+ kdc = kdcString;
+ } else {
+ int nextColon = kdcString.indexOf(':', colon + 1);
+ // >=2 ":", IPv6 with no port
+ if (nextColon > 0) {
+ kdc = kdcString;
+ } else {
+ // 1 ":", hostname or IPv4 with port
+ kdc = kdcString.substring(0, colon);
+ portStr = kdcString.substring(colon + 1);
+ }
+ }
+ }
+ if (portStr != null) {
+ int tempPort = parsePositiveIntString(portStr);
+ if (tempPort > 0) {
+ port = tempPort;
+ }
+ }
+ if (port != 0) {
+ tcpPort = port;
+ udpPort = port;
+ }
if (tcpPort > 0) {
result.tcpAddress = new InetSocketAddress(
- setting.getKdcHost(), tcpPort);
+ kdc, tcpPort);
}
- int udpPort = setting.checkGetKdcUdpPort();
if (udpPort > 0) {
result.udpAddress = new InetSocketAddress(
- setting.getKdcHost(), udpPort);
+ kdc, udpPort);
}
-
return result;
}
+
+ private static int parsePositiveIntString(String intString) {
+ if (intString == null) {
+ return -1;
+ }
+ int ret = -1;
+ try {
+ ret = Integer.parseInt(intString);
+ } catch (Exception exc) {
+ return -1;
+ }
+ if (ret >= 0) {
+ return ret;
+ }
+ return -1;
+ }
+
+ /**
+ * Returns a list of KDC
+ *
+ * @throws KrbException if there's no way to find KDC for the realm
+ * @return the list of KDC, always non null
+ */
+ public static List<String> getKDCList(KrbSetting krbSetting) throws KrbException {
+
+ List<String> kdcList = new ArrayList<>();
+ kdcList.add(krbSetting.getKdcHost());
+ /*get the kdc realm */
+ String realm = krbSetting.getKdcRealm();
+ if (realm != null) {
+ KrbConfig krbConfig = krbSetting.getKrbConfig();
+ List<Object> kdcs = krbConfig.getRealmSectionItems(realm, "kdc");
+ if (kdcs != null) {
+ for (Object object : kdcs) {
+ kdcList.add(object != null ? object.toString() : null);
+ }
+ }
+
+ if (kdcList == null) {
+ LOG.info("Cannot get kdc for realm " + realm);
+ }
+ } else {
+ throw new KrbException("Can't get the realm");
+ }
+ return kdcList;
+ }
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/2e81a84f/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbConfig.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbConfig.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbConfig.java
index 37161bf..dbbc64c 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbConfig.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbConfig.java
@@ -22,14 +22,17 @@ package org.apache.kerby.kerberos.kerb.client;
import org.apache.kerby.kerberos.kerb.common.Krb5Conf;
import org.apache.kerby.kerberos.kerb.type.base.EncryptionType;
+import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
+import java.util.Map;
/**
* Kerb client side configuration API.
*/
public class KrbConfig extends Krb5Conf {
private static final String LIBDEFAULT = "libdefaults";
+ private static final String REALMS = "realms";
public boolean enableDebug() {
return getBoolean(KrbConfigKey.KRB_DEBUG, true, LIBDEFAULT);
@@ -312,4 +315,33 @@ public class KrbConfig extends Krb5Conf {
return getString(
KrbConfigKey.PKINIT_KDC_HOSTNAME, true, LIBDEFAULT);
}
+
+ public List<Object> getRealmSectionItems(String realm, String key) {
+ Map<String, Object> map = getRealmSection(realm);
+ List<Object> items = null;
+ if (map != null) {
+ items = new ArrayList<>();
+ for (Map.Entry<String, Object> entry : map.entrySet()) {
+ if (entry.getKey().equals(key)) {
+ items.add(entry.getValue());
+ }
+ }
+ }
+ return items;
+ }
+
+ public Map<String, Object> getRealmSection(String realm) {
+ Object realms = getSection(REALMS);
+ if (realms != null) {
+ Map<String, Object> map = (Map) realms;
+ for (Map.Entry<String, Object> entry : map.entrySet()) {
+ if (entry.getKey().equals(realm)) {
+ return (Map) entry.getValue();
+ }
+ }
+ return null;
+ } else {
+ return null;
+ }
+ }
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/2e81a84f/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbHandler.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbHandler.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbHandler.java
index 1c6743f..1ec4e4d 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbHandler.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbHandler.java
@@ -63,10 +63,13 @@ public abstract class KrbHandler {
* Handle the kdc request.
*
* @param kdcRequest The kdc request
+ * @param tryNextKdc try next kdc or not
* @throws KrbException e
*/
- public void handleRequest(KdcRequest kdcRequest) throws KrbException {
- kdcRequest.process();
+ public void handleRequest(KdcRequest kdcRequest, boolean tryNextKdc) throws KrbException {
+ if (!tryNextKdc) {
+ kdcRequest.process();
+ }
KdcReq kdcReq = kdcRequest.getKdcReq();
int bodyLen = kdcReq.encodingLength();
KrbTransport transport = (KrbTransport) kdcRequest.getSessionData();
@@ -133,7 +136,7 @@ public abstract class KrbHandler {
kdcRequest.setEncryptionTypes(encryptionTypes);
kdcRequest.setPreauthRequired(true);
kdcRequest.resetPrequthContxt();
- handleRequest(kdcRequest);
+ handleRequest(kdcRequest, false);
LOG.info("Retry with the new kdc request including pre-authentication.");
} else {
LOG.info(error.getErrorCode().getMessage());
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/2e81a84f/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/impl/DefaultInternalKrbClient.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/impl/DefaultInternalKrbClient.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/impl/DefaultInternalKrbClient.java
index df4ed10..06c6a7f 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/impl/DefaultInternalKrbClient.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/impl/DefaultInternalKrbClient.java
@@ -30,13 +30,18 @@ import org.apache.kerby.kerberos.kerb.transport.KrbTransport;
import org.apache.kerby.kerberos.kerb.transport.TransportPair;
import org.apache.kerby.kerberos.kerb.type.ticket.SgtTicket;
import org.apache.kerby.kerberos.kerb.type.ticket.TgtTicket;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
import java.io.IOException;
+import java.util.Iterator;
+import java.util.List;
/**
* A default krb client implementation.
*/
public class DefaultInternalKrbClient extends AbstractInternalKrbClient {
+ private static final Logger LOG = LoggerFactory.getLogger(DefaultInternalKrbClient.class);
private DefaultKrbHandler krbHandler;
private KrbTransport transport;
@@ -57,21 +62,49 @@ public class DefaultInternalKrbClient extends AbstractInternalKrbClient {
}
private void doRequest(KdcRequest request) throws KrbException {
- try {
- TransportPair tpair = ClientUtil.getTransportPair(getSetting());
- KrbNetwork network = new KrbNetwork();
- network.setSocketTimeout(getSetting().getTimeout());
+ List<String> kdcList = ClientUtil.getKDCList(getSetting());
- transport = network.connect(tpair);
+ // tempKdc may include the port number
+ Iterator<String> tempKdc = kdcList.iterator();
+ if (!tempKdc.hasNext()) {
+ throw new KrbException("Cannot get kdc for realm " + getSetting().getKdcRealm());
+ }
- request.setSessionData(transport);
- krbHandler.handleRequest(request);
- } catch (IOException e) {
- throw new KrbException("Failed to create transport", e);
+ try {
+ sendIfPossible(request, tempKdc.next(), getSetting(), false);
+ LOG.info("Send to kdc success.");
+ } catch (Exception first) {
+ boolean ok = false;
+ while (tempKdc.hasNext()) {
+ try {
+ sendIfPossible(request, tempKdc.next(), getSetting(), true);
+ ok = true;
+ LOG.info("Send to kdc success.");
+ break;
+ } catch (Exception ignore) {
+ LOG.info("ignore this kdc");
+ }
+ }
+ if (!ok) {
+ throw new KrbException("Failed to create transport", first);
+ }
} finally {
transport.release();
}
+
+ }
+
+ private void sendIfPossible(KdcRequest request, String kdcString, KrbSetting setting,
+ boolean tryNextKdc)
+ throws KrbException, IOException {
+
+ TransportPair tpair = ClientUtil.getTransportPair(setting, kdcString);
+ KrbNetwork network = new KrbNetwork();
+ network.setSocketTimeout(setting.getTimeout());
+ transport = network.connect(tpair);
+ request.setSessionData(transport);
+ krbHandler.handleRequest(request, tryNextKdc);
}
/**
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/2e81a84f/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/impl/DefaultKrbHandler.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/impl/DefaultKrbHandler.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/impl/DefaultKrbHandler.java
index 246f399..8da5970 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/impl/DefaultKrbHandler.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/impl/DefaultKrbHandler.java
@@ -33,11 +33,11 @@ public class DefaultKrbHandler extends KrbHandler {
* {@inheritDoc}
*/
@Override
- public void handleRequest(KdcRequest kdcRequest) throws KrbException {
+ public void handleRequest(KdcRequest kdcRequest, boolean tryNextKdc) throws KrbException {
KrbTransport transport = (KrbTransport) kdcRequest.getSessionData();
transport.setAttachment(kdcRequest);
- super.handleRequest(kdcRequest);
+ super.handleRequest(kdcRequest, tryNextKdc);
ByteBuffer receivedMessage = null;
try {
receivedMessage = transport.receiveMessage();
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/2e81a84f/kerby-kerb/kerb-client/src/test/java/org/apache/kerby/kerberos/kerb/client/KrbConfigLoadTest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/test/java/org/apache/kerby/kerberos/kerb/client/KrbConfigLoadTest.java b/kerby-kerb/kerb-client/src/test/java/org/apache/kerby/kerberos/kerb/client/KrbConfigLoadTest.java
index cfd3929..50ee72b 100644
--- a/kerby-kerb/kerb-client/src/test/java/org/apache/kerby/kerberos/kerb/client/KrbConfigLoadTest.java
+++ b/kerby-kerb/kerb-client/src/test/java/org/apache/kerby/kerberos/kerb/client/KrbConfigLoadTest.java
@@ -25,7 +25,7 @@ import org.junit.Test;
import java.io.File;
import java.net.URL;
-import static org.assertj.core.api.Assertions.*;
+import static org.assertj.core.api.Assertions.assertThat;
/**
* Test for loading configurations form krb5.conf.
@@ -61,5 +61,7 @@ public class KrbConfigLoadTest {
assertThat(krbConfig.getPkinitAnchors()).hasSize(1);
assertThat(krbConfig.getPkinitIdentities()).hasSize(2);
assertThat(krbConfig.getPkinitKdcHostName()).isEqualTo("kdc-server.example.com");
+ assertThat(krbConfig.getRealmSection("ATHENA.MIT.EDU")).hasSize(3);
+ assertThat(krbConfig.getRealmSectionItems("ATHENA.MIT.EDU", "admin_server")).hasSize(1);
}
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/2e81a84f/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/Krb5Conf.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/Krb5Conf.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/Krb5Conf.java
index 1834ae5..1dba876 100644
--- a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/Krb5Conf.java
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/Krb5Conf.java
@@ -41,11 +41,12 @@ public class Krb5Conf extends Conf {
* of config value(string list).
*/
private static final String LIST_SPLITTER = " |,";
+ private Map<String, Object> krb5Map;
public void addKrb5Config(File krb5File) throws IOException {
Krb5Parser krb5Parser = new Krb5Parser(krb5File);
krb5Parser.load();
- Map<String, Object> krb5Map = krb5Parser.getItems();
+ krb5Map = krb5Parser.getItems();
addResource(Resource.createMapResource(krb5Map));
}
@@ -162,4 +163,15 @@ public class Krb5Conf extends Conf {
String[] values = value.split(LIST_SPLITTER);
return values;
}
+
+ protected Object getSection(String sectionName) {
+ if (krb5Map != null) {
+ for (Map.Entry<String, Object> entry : krb5Map.entrySet()) {
+ if (entry.getKey().equals(sectionName)) {
+ return entry.getValue();
+ }
+ }
+ }
+ return null;
+ }
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/2e81a84f/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/Krb5Parser.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/Krb5Parser.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/Krb5Parser.java
index 1494377..9f4196c 100644
--- a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/Krb5Parser.java
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/Krb5Parser.java
@@ -26,7 +26,7 @@ import java.io.IOException;
import java.io.InputStreamReader;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
-import java.util.HashMap;
+import java.util.IdentityHashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
@@ -57,7 +57,7 @@ public class Krb5Parser {
public void load() throws IOException {
BufferedReader br = new BufferedReader(new InputStreamReader(new FileInputStream(krb5conf),
StandardCharsets.UTF_8));
- items = new HashMap<String, Object>();
+ items = new IdentityHashMap<>();
String originLine = br.readLine();
while (originLine != null) {
@@ -97,11 +97,32 @@ public class Krb5Parser {
/**
* Get the contents of a section given the section name.
* @param sectionName the name of a section
+ * @param keys the keys list
* @return a Map of section contents
*/
- public Map<String, Object> getSection(String sectionName) {
- Map<String, Object> sections = (HashMap) items.get(sectionName);
- return sections;
+ public Object getSection(String sectionName, String ... keys) {
+ Object value = null;
+ for (Map.Entry<String, Object> item : items.entrySet()) {
+ if (item.getKey().equals(sectionName)) {
+ value = item.getValue();
+ Map<String, Object> map = (Map) item.getValue();
+ for (Map.Entry<String, Object> entry : map.entrySet()) {
+ if (entry.getKey().equals(keys[0])) {
+ value = entry.getValue();
+ }
+ }
+ }
+ }
+
+ for (int i = 1; i < keys.length; i++) {
+ Map<String, Object> map = (Map) value;
+ for (Map.Entry<String, Object> entry : map.entrySet()) {
+ if (entry.getKey().equals(keys[i])) {
+ value = entry.getValue();
+ }
+ }
+ }
+ return value;
}
/**
@@ -118,7 +139,7 @@ public class Krb5Parser {
private void insertSections(String line, BufferedReader br, Map<String, Object> items) throws IOException {
while (line.startsWith("[")) {
String sectionName = line.substring(1, line.length() - 1);
- Map<String, Object> entries = new HashMap<String, Object>();
+ Map<String, Object> entries = new IdentityHashMap<>();
line = br.readLine();
if (line == null) {
break;
@@ -174,7 +195,7 @@ public class Krb5Parser {
kv[1] = kv[1].trim();
if (kv[1].startsWith("{")) {
- Map<String, Object> meValue = new HashMap<String, Object>();
+ Map<String, Object> meValue = new IdentityHashMap<>();
line = br.readLine();
if (line != null) {
line = line.trim();
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/2e81a84f/kerby-kerb/kerb-common/src/test/java/org/apache/kerby/kerberos/kerb/Krb5ParserTest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-common/src/test/java/org/apache/kerby/kerberos/kerb/Krb5ParserTest.java b/kerby-kerb/kerb-common/src/test/java/org/apache/kerby/kerberos/kerb/Krb5ParserTest.java
index b11ad16..fb09722 100644
--- a/kerby-kerb/kerb-common/src/test/java/org/apache/kerby/kerberos/kerb/Krb5ParserTest.java
+++ b/kerby-kerb/kerb-common/src/test/java/org/apache/kerby/kerberos/kerb/Krb5ParserTest.java
@@ -45,11 +45,9 @@ public class Krb5ParserTest {
assertThat(k.getSections().size()).isEqualTo(4);
assertThat(k.getSections().contains("libdefaults")).isTrue();
- assertThat(k.getSection("libdefaults").get("dns_lookup_kdc")).isEqualTo("false");
- assertThat(k.getSection("realms").get("ATHENA.MIT.EDU") instanceof Map).isTrue();
- Map<String, Object> m1 = (Map) k.getSection("realms").get("ATHENA.MIT.EDU");
- assertThat(m1.get("v4_instance_convert") instanceof Map).isTrue();
- Map<String, Object> m2 = (Map) m1.get("v4_instance_convert");
- assertThat(m2.get("mit")).isEqualTo("mit.edu");
+ assertThat(k.getSection("libdefaults", "dns_lookup_kdc")).isEqualTo("false");
+ assertThat(k.getSection("realms", "ATHENA.MIT.EDU") instanceof Map).isTrue();
+ assertThat(k.getSection("realms", "ATHENA.MIT.EDU", "v4_instance_convert") instanceof Map).isTrue();
+ assertThat(k.getSection("realms", "ATHENA.MIT.EDU", "v4_instance_convert", "mit").equals("mit.edu"));
}
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/2e81a84f/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/KrbErrorCode.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/KrbErrorCode.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/KrbErrorCode.java
index cd4ad1e..b7f3df3 100644
--- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/KrbErrorCode.java
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/KrbErrorCode.java
@@ -95,8 +95,10 @@ public enum KrbErrorCode implements EnumType {
KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED(79, "PA checksum must be included"),
KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED(80, "Digest in signed data not accepted"),
KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED(81, "Public key encryption not supported"),
+ TOKEN_PREAUTH_NOT_ALLOWED(82, "Token preauth is not allowed"),
- KRB_TIMEOUT(5000, "Network timeout");
+ KRB_TIMEOUT(5000, "Network timeout"),
+ UNKNOWN_ERR(5001, "Unknow error");
private final int value;
private final String message;
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/2e81a84f/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcHandler.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcHandler.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcHandler.java
index aa896c2..8a1a21a 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcHandler.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcHandler.java
@@ -87,7 +87,8 @@ public class KdcHandler {
String realm = getRequestRealm(kdcReq);
if (realm == null || !kdcContext.getKdcRealm().equals(realm)) {
LOG.error("Invalid realm from kdc request: " + realm);
- throw new KrbException("Invalid realm from kdc request: " + realm);
+ throw new KrbException(KrbErrorCode.WRONG_REALM,
+ "Invalid realm from kdc request: " + realm);
}
if (messageType == KrbMessageType.TGS_REQ) {
@@ -122,7 +123,11 @@ public class KdcHandler {
KrbError krbError = new KrbError();
krbError.setStime(KerberosTime.now());
krbError.setSusec(100);
- krbError.setErrorCode(e.getKrbErrorCode());
+ if (e.getKrbErrorCode() != null) {
+ krbError.setErrorCode(e.getKrbErrorCode());
+ } else {
+ krbError.setErrorCode(KrbErrorCode.UNKNOWN_ERR);
+ }
krbError.setCrealm(kdcContext.getKdcRealm());
if (kdcRequest.getClientPrincipal() != null) {
krbError.setCname(kdcRequest.getClientPrincipal());
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/2e81a84f/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
index 11e9b6f..f4580fc 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
@@ -20,6 +20,7 @@
package org.apache.kerby.kerberos.kerb.server.preauth.token;
import org.apache.kerby.kerberos.kerb.KrbCodec;
+import org.apache.kerby.kerberos.kerb.KrbErrorCode;
import org.apache.kerby.kerberos.kerb.KrbException;
import org.apache.kerby.kerberos.kerb.KrbRuntime;
import org.apache.kerby.kerberos.kerb.common.EncryptionUtil;
@@ -62,7 +63,8 @@ public class TokenPreauth extends AbstractPreauthPlugin {
PaDataEntry paData) throws KrbException {
if (!kdcRequest.getKdcContext().getConfig().isAllowTokenPreauth()) {
- throw new KrbException("Token preauth is not allowed.");
+ throw new KrbException(KrbErrorCode.TOKEN_PREAUTH_NOT_ALLOWED,
+ "Token preauth is not allowed.");
}
if (paData.getPaDataType() == PaDataType.TOKEN_REQUEST) {
EncryptedData encData = KrbCodec.decode(paData.getPaDataValue(), EncryptedData.class);
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/2e81a84f/kerby-kerb/kerb-simplekdc/src/main/java/org/apache/kerby/kerberos/kerb/server/SimpleKdcServer.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-simplekdc/src/main/java/org/apache/kerby/kerberos/kerb/server/SimpleKdcServer.java b/kerby-kerb/kerb-simplekdc/src/main/java/org/apache/kerby/kerberos/kerb/server/SimpleKdcServer.java
index 6f4fd63..74e4ec9 100644
--- a/kerby-kerb/kerb-simplekdc/src/main/java/org/apache/kerby/kerberos/kerb/server/SimpleKdcServer.java
+++ b/kerby-kerb/kerb-simplekdc/src/main/java/org/apache/kerby/kerberos/kerb/server/SimpleKdcServer.java
@@ -24,6 +24,7 @@ import org.apache.kerby.kerberos.kerb.admin.LocalKadmin;
import org.apache.kerby.kerberos.kerb.admin.LocalKadminImpl;
import org.apache.kerby.kerberos.kerb.client.Krb5Conf;
import org.apache.kerby.kerberos.kerb.client.KrbClient;
+import org.apache.kerby.kerberos.kerb.client.KrbConfig;
import org.apache.kerby.kerberos.kerb.client.KrbPkinitClient;
import org.apache.kerby.kerberos.kerb.client.KrbTokenClient;
import org.apache.kerby.util.NetworkUtil;
@@ -51,7 +52,7 @@ public class SimpleKdcServer extends KdcServer {
*/
public SimpleKdcServer() throws KrbException {
super();
- this.krbClnt = new KrbClient();
+ this.krbClnt = new KrbClient(new KrbConfig());
setKdcRealm("EXAMPLE.COM");
setKdcHost("localhost");
[05/50] [abbrv] directory-kerby git commit: DIRKRB-561 Jaas client
failed to decode KrbError message from Kerby KDC.
Posted by co...@apache.org.
DIRKRB-561 Jaas client failed to decode KrbError message from Kerby KDC.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/aa1bd31e
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/aa1bd31e
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/aa1bd31e
Branch: refs/heads/gssapi
Commit: aa1bd31e203a303fa953eee0f04438f43c468749
Parents: fe4f0b8
Author: plusplusjiajia <ji...@intel.com>
Authored: Tue Apr 26 16:54:36 2016 +0800
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 12:25:02 2017 +0100
----------------------------------------------------------------------
.../kerby/kerberos/kerb/type/base/KrbError.java | 18 +++++++++---------
.../kerby/kerberos/kerb/server/KdcHandler.java | 16 ++++++++++++++--
.../kerberos/kerb/server/request/AsRequest.java | 1 +
.../kerberos/kerb/server/request/KdcRequest.java | 17 +++++++++++++++++
4 files changed, 41 insertions(+), 11 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/aa1bd31e/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/base/KrbError.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/base/KrbError.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/base/KrbError.java
index 9e272d5..52ffb49 100644
--- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/base/KrbError.java
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/base/KrbError.java
@@ -80,9 +80,9 @@ public class KrbError extends KrbMessage {
new ExplicitField(KrbErrorField.STIME, KerberosTime.class),
new ExplicitField(KrbErrorField.SUSEC, Asn1Integer.class),
new ExplicitField(KrbErrorField.ERROR_CODE, Asn1Integer.class),
- new ExplicitField(KrbErrorField.CREALM, KerberosString.class),
+ new ExplicitField(KrbErrorField.CREALM, Realm.class),
new ExplicitField(KrbErrorField.CNAME, PrincipalName.class),
- new ExplicitField(KrbErrorField.REALM, KerberosString.class),
+ new ExplicitField(KrbErrorField.REALM, Realm.class),
new ExplicitField(KrbErrorField.SNAME, PrincipalName.class),
new ExplicitField(KrbErrorField.ETEXT, KerberosString.class),
new ExplicitField(KrbErrorField.EDATA, Asn1OctetString.class)
@@ -129,7 +129,7 @@ public class KrbError extends KrbMessage {
}
public void setErrorCode(KrbErrorCode errorCode) {
- setField(KrbErrorField.ERROR_CODE, errorCode);
+ setFieldAsInt(KrbErrorField.ERROR_CODE, errorCode.getValue());
}
public String getCrealm() {
@@ -137,15 +137,15 @@ public class KrbError extends KrbMessage {
}
public void setCrealm(String realm) {
- setFieldAs(KrbErrorField.CREALM, new KerberosString(realm));
+ setFieldAs(KrbErrorField.CREALM, new Realm(realm));
}
public PrincipalName getCname() {
return getFieldAs(KrbErrorField.CNAME, PrincipalName.class);
}
- public void setCname(PrincipalName sname) {
- setFieldAs(KrbErrorField.CNAME, sname);
+ public void setCname(PrincipalName cname) {
+ setFieldAs(KrbErrorField.CNAME, cname);
}
public PrincipalName getSname() {
@@ -161,15 +161,15 @@ public class KrbError extends KrbMessage {
}
public void setRealm(String realm) {
- setFieldAs(KrbErrorField.REALM, new KerberosString(realm));
+ setFieldAs(KrbErrorField.REALM, new Realm(realm));
}
public String getEtext() {
return getFieldAsString(KrbErrorField.ETEXT);
}
- public void setEtext(String realm) {
- setFieldAs(KrbErrorField.ETEXT, new KerberosString(realm));
+ public void setEtext(String text) {
+ setFieldAs(KrbErrorField.ETEXT, new KerberosString(text));
}
public byte[] getEdata() {
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/aa1bd31e/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcHandler.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcHandler.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcHandler.java
index 748f0bc..aa896c2 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcHandler.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcHandler.java
@@ -121,12 +121,24 @@ public class KdcHandler {
} else {
KrbError krbError = new KrbError();
krbError.setStime(KerberosTime.now());
+ krbError.setSusec(100);
krbError.setErrorCode(e.getKrbErrorCode());
- krbError.setCname(kdcRequest.getClientEntry().getPrincipal());
- krbError.setSname(kdcRequest.getServerPrincipal());
+ krbError.setCrealm(kdcContext.getKdcRealm());
+ if (kdcRequest.getClientPrincipal() != null) {
+ krbError.setCname(kdcRequest.getClientPrincipal());
+ }
krbError.setRealm(kdcContext.getKdcRealm());
+ if (kdcRequest.getServerPrincipal() != null) {
+ krbError.setSname(kdcRequest.getServerPrincipal());
+ } else {
+ PrincipalName serverPrincipal = kdcRequest.getKdcReq().getReqBody().getSname();
+ serverPrincipal.setRealm(kdcRequest.getKdcReq().getReqBody().getRealm());
+ krbError.setSname(serverPrincipal);
+ }
if (e.getKrbErrorCode().equals(KrbErrorCode.KRB_AP_ERR_BAD_INTEGRITY)) {
krbError.setEtext("PREAUTH_FAILED");
+ } else {
+ krbError.setEtext(e.getMessage());
}
krbResponse = krbError;
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/aa1bd31e/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/AsRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/AsRequest.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/AsRequest.java
index 49aa892..66fdac5 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/AsRequest.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/AsRequest.java
@@ -73,6 +73,7 @@ public class AsRequest extends KdcRequest {
clientRealm = getKdcContext().getKdcRealm();
}
clientPrincipal.setRealm(clientRealm);
+ setClientPrincipal(clientPrincipal);
KrbIdentity clientEntry;
if (isToken()) {
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/aa1bd31e/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
index abd7eec..8203501 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
@@ -90,6 +90,7 @@ public abstract class KdcRequest {
private KrbIdentity tgsEntry;
private PreauthContext preauthContext;
private KdcFastContext fastContext;
+ private PrincipalName clientPrincipal;
private PrincipalName serverPrincipal;
private byte[] innerBodyout;
private AuthToken token;
@@ -757,6 +758,22 @@ public abstract class KdcRequest {
}
/**
+ * Get client principal.
+ * @return client principal
+ */
+ public PrincipalName getClientPrincipal() {
+ return clientPrincipal;
+ }
+
+ /**
+ * Set client principal.
+ * @param clientPrincipal client principal
+ */
+ public void setClientPrincipal(PrincipalName clientPrincipal) {
+ this.clientPrincipal = clientPrincipal;
+ }
+
+ /**
* Get server principal.
* @return server principal
*/
[11/50] [abbrv] directory-kerby git commit: Update pom.xml in
kerb-client-api-all and kerb-server-api-all.
Posted by co...@apache.org.
Update pom.xml in kerb-client-api-all and kerb-server-api-all.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/22b271ab
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/22b271ab
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/22b271ab
Branch: refs/heads/gssapi
Commit: 22b271abe8c991c4fb9028e73b978886507bd7d0
Parents: 25dc6b8
Author: plusplusjiajia <ji...@intel.com>
Authored: Wed Apr 27 16:22:47 2016 +0800
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 12:25:02 2017 +0100
----------------------------------------------------------------------
kerby-kerb/kerb-client-api-all/pom.xml | 1 -
kerby-kerb/kerb-server-api-all/pom.xml | 1 -
2 files changed, 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/22b271ab/kerby-kerb/kerb-client-api-all/pom.xml
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client-api-all/pom.xml b/kerby-kerb/kerb-client-api-all/pom.xml
index ce90731..abf4f80 100644
--- a/kerby-kerb/kerb-client-api-all/pom.xml
+++ b/kerby-kerb/kerb-client-api-all/pom.xml
@@ -54,7 +54,6 @@
<excludes>
<exclude>junit:junit</exclude>
<exclude>org.slf4j:slf4j-api</exclude>
- <exclude>org.slf4j:slf4j-log4j12</exclude>
<exclude>org.apache.kerby:kerby-asn1</exclude>
<exclude>org.bouncycastle:bcpkix-jdk15on</exclude>
<exclude>org.bouncycastle:bcprov-jdk15on</exclude>
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/22b271ab/kerby-kerb/kerb-server-api-all/pom.xml
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server-api-all/pom.xml b/kerby-kerb/kerb-server-api-all/pom.xml
index b6829d7..f9030a3 100644
--- a/kerby-kerb/kerb-server-api-all/pom.xml
+++ b/kerby-kerb/kerb-server-api-all/pom.xml
@@ -54,7 +54,6 @@
<excludes>
<exclude>junit:junit</exclude>
<exclude>org.slf4j:slf4j-api</exclude>
- <exclude>org.slf4j:slf4j-log4j12</exclude>
<exclude>org.apache.kerby:kerby-asn1</exclude>
</excludes>
</artifactSet>
[19/50] [abbrv] directory-kerby git commit: DIRKRB-569 Add unit test
of multiple KDCs for a given realm in client. Contributed by Wei.
Posted by co...@apache.org.
DIRKRB-569 Add unit test of multiple KDCs for a given realm in client. Contributed by Wei.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/0cac9c41
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/0cac9c41
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/0cac9c41
Branch: refs/heads/gssapi
Commit: 0cac9c41803740d616cfd5acd0e4db150f6f127e
Parents: 3fb403c
Author: plusplusjiajia <ji...@intel.com>
Authored: Fri May 13 15:52:49 2016 +0800
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 12:25:02 2017 +0100
----------------------------------------------------------------------
.../kerby/kerberos/kerb/request/ApRequest.java | 11 ++-
.../kerberos/kerb/gssapi/KerbyMechFactory.java | 9 +-
.../kerberos/kerb/gssapi/krb5/KerbyContext.java | 96 ++++++++++++++++++--
3 files changed, 98 insertions(+), 18 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/0cac9c41/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java
index 096b0de..44f5b47 100644
--- a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java
@@ -89,8 +89,11 @@ public class ApRequest {
authenticator.setAuthenticatorVno(5);
authenticator.setCname(clientPrincipal);
authenticator.setCrealm(sgtTicket.getRealm());
- authenticator.setCtime(KerberosTime.now());
- authenticator.setCusec(0);
+ long millis = System.currentTimeMillis();
+ int usec = (int) (millis % 1000) * 1000;
+ millis -= millis % 1000;
+ authenticator.setCtime(new KerberosTime(millis));
+ authenticator.setCusec(usec);
authenticator.setSubKey(sgtTicket.getSessionKey());
return authenticator;
@@ -138,13 +141,13 @@ public class ApRequest {
}
if (timeSkew != 0) {
- if (authenticator.getCtime().isInClockSkew(timeSkew)) {
+ if (!authenticator.getCtime().isInClockSkew(timeSkew)) {
throw new KrbException(KrbErrorCode.KRB_AP_ERR_SKEW);
}
KerberosTime now = KerberosTime.now();
KerberosTime startTime = tktEncPart.getStartTime();
- if (startTime != null && startTime.greaterThanWithSkew(now, timeSkew)) {
+ if (startTime != null && !startTime.lessThanWithSkew(now, timeSkew)) {
throw new KrbException(KrbErrorCode.KRB_AP_ERR_TKT_NYV);
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/0cac9c41/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/KerbyMechFactory.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/KerbyMechFactory.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/KerbyMechFactory.java
index a897c29..adacb27 100644
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/KerbyMechFactory.java
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/KerbyMechFactory.java
@@ -20,6 +20,7 @@
package org.apache.kerby.kerberos.kerb.gssapi;
import org.apache.kerby.kerberos.kerb.gssapi.krb5.KerbyAcceptCred;
+import org.apache.kerby.kerberos.kerb.gssapi.krb5.KerbyContext;
import org.apache.kerby.kerberos.kerb.gssapi.krb5.KerbyCredElement;
import org.apache.kerby.kerberos.kerb.gssapi.krb5.KerbyInitCred;
import org.apache.kerby.kerberos.kerb.gssapi.krb5.KerbyNameElement;
@@ -90,9 +91,7 @@ public class KerbyMechFactory implements MechanismFactory {
if (myInitiatorCred == null) {
myInitiatorCred = getCredentialElement(null, lifetime, 0, GSSCredential.INITIATE_ONLY);
}
- return null;
- //For convenience of making patch, return null instead of introduce in KerbyContext
- //return new KerbyContext(caller, (KerbyNameElement)peer, (KerbyInitCred)myInitiatorCred, lifetime);
+ return new KerbyContext(caller, (KerbyNameElement) peer, (KerbyInitCred) myInitiatorCred, lifetime);
}
public GSSContextSpi getMechanismContext(GSSCredentialSpi myAcceptorCred)
@@ -101,13 +100,13 @@ public class KerbyMechFactory implements MechanismFactory {
myAcceptorCred = getCredentialElement(null, 0,
GSSCredential.INDEFINITE_LIFETIME, GSSCredential.ACCEPT_ONLY);
}
- return null; //return new KerbyContext(caller, (KerbyAcceptCred)myAcceptorCred);
+ return new KerbyContext(caller, (KerbyAcceptCred) myAcceptorCred);
}
// Reconstruct from previously exported context
public GSSContextSpi getMechanismContext(byte[] exportedContext)
throws GSSException {
- return null; //return new KerbyContext(caller, exportedContext);
+ return new KerbyContext(caller, exportedContext);
}
public GSSCredentialSpi getCredentialElement(GSSNameSpi name,
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/0cac9c41/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
index b450cc9..1496cac 100644
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
@@ -424,7 +424,8 @@ public class KerbyContext implements GSSContextSpi {
}
try {
- ApRequest.validate(serverKey, apReq, channelBinding.getInitiatorAddress(), 5 * 60 * 1000);
+ ApRequest.validate(serverKey, apReq,
+ channelBinding == null ? null : channelBinding.getInitiatorAddress(), 5 * 60 * 1000);
} catch (KrbException e) {
throw new GSSException(GSSException.UNAUTHORIZED, -1, "ApReq verification failed: " + e.getMessage());
}
@@ -476,7 +477,20 @@ public class KerbyContext implements GSSContextSpi {
if (ctxState != STATE_ESTABLISHED) {
throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for wrap");
}
- throw new GSSException(GSSException.UNAVAILABLE, -1, "Unsupported method"); // TODO: to be implemented
+
+ int len;
+ byte[] inBuf;
+ try {
+ len = is.available();
+ inBuf = new byte[len];
+ is.read(inBuf);
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Error when get user data:" + e.getMessage());
+ }
+ if (gssEncryptor.isV2()) {
+ WrapTokenV2 token = new WrapTokenV2(this, inBuf, 0, len, msgProp);
+ token.wrap(os);
+ }
}
public byte[] wrap(byte[] inBuf, int offset, int len,
@@ -484,12 +498,24 @@ public class KerbyContext implements GSSContextSpi {
if (ctxState != STATE_ESTABLISHED) {
throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for wrap");
}
- return null; // TODO: to be implemented
+ byte[] ret = null;
+ if (gssEncryptor.isV2()) {
+ WrapTokenV2 token = new WrapTokenV2(this, inBuf, offset, len, msgProp);
+ ret = token.wrap();
+ }
+ return ret;
}
public void unwrap(InputStream is, OutputStream os,
MessageProp msgProp) throws GSSException {
- throw new GSSException(GSSException.UNAVAILABLE, -1, "Unsupported method"); // TODO: to be implemented
+ if (ctxState != STATE_ESTABLISHED) {
+ throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for unwrap");
+ }
+
+ if (gssEncryptor.isV2()) {
+ WrapTokenV2 token = new WrapTokenV2(this, msgProp, is);
+ token.unwrap(os);
+ }
}
public byte[] unwrap(byte[] inBuf, int offset, int len,
@@ -497,30 +523,82 @@ public class KerbyContext implements GSSContextSpi {
if (ctxState != STATE_ESTABLISHED) {
throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for unwrap");
}
- return null; // TODO: to be implemented
+
+ byte[] ret = null;
+ if (gssEncryptor.isV2()) {
+ WrapTokenV2 token = new WrapTokenV2(this, msgProp, inBuf, offset, len);
+ ret = token.unwrap();
+ }
+ return ret;
}
public void getMIC(InputStream is, OutputStream os,
- MessageProp msgProp)
- throws GSSException {
+ MessageProp msgProp) throws GSSException {
+ if (ctxState != STATE_ESTABLISHED) {
+ throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for getMIC");
+ }
+
+ try {
+ int len = is.available();
+ byte[] inMsg = new byte[len];
+ is.read(inMsg);
+ if (gssEncryptor.isV2()) {
+ MicTokenV2 token = new MicTokenV2(this, inMsg, 0, len, msgProp);
+ token.getMic(os);
+ }
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Error when get user data in getMIC:" + e.getMessage());
+ }
}
public byte[] getMIC(byte[] inMsg, int offset, int len,
MessageProp msgProp) throws GSSException {
- return null; // TODO: to be implemented
+ if (ctxState != STATE_ESTABLISHED) {
+ throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for getMIC");
+ }
+
+ byte[] ret = null;
+ if (gssEncryptor.isV2()) {
+ MicTokenV2 token = new MicTokenV2(this, inMsg, offset, len, msgProp);
+ ret = token.getMic();
+ }
+ return ret;
}
public void verifyMIC(InputStream is, InputStream msgStr,
MessageProp msgProp) throws GSSException {
+ if (ctxState != STATE_ESTABLISHED) {
+ throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for verifyMIC");
+ }
+
+ try {
+ int tokLen = is.available();
+ byte[] inTok = new byte[tokLen];
+ int msgLen = msgStr.available();
+ byte[] inMsg = new byte[msgLen];
+
+ verifyMIC(inTok, 0, tokLen, inMsg, 0, msgLen, msgProp);
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1,
+ "Error when get user data in verifyMIC:" + e.getMessage());
+ }
}
public void verifyMIC(byte[]inTok, int tokOffset, int tokLen,
byte[] inMsg, int msgOffset, int msgLen,
MessageProp msgProp) throws GSSException {
+ if (ctxState != STATE_ESTABLISHED) {
+ throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for verifyMIC");
+ }
+
+ if (gssEncryptor.isV2()) {
+ MicTokenV2 token = new MicTokenV2(this, msgProp, inTok, tokOffset, tokLen);
+ token.verify(inMsg, msgOffset, msgLen);
+ }
}
public byte[] export() throws GSSException {
- throw new GSSException(GSSException.UNAVAILABLE, -1, "Unsupported export method");
+ throw new GSSException(GSSException.UNAVAILABLE, -1, "Unsupported export() method");
}
public void dispose() throws GSSException {
[18/50] [abbrv] directory-kerby git commit: DIRKRB-568 Using RFC 4121
tokens in KerbyContext. Contributed by Wei.
Posted by co...@apache.org.
DIRKRB-568 Using RFC 4121 tokens in KerbyContext. Contributed by Wei.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/e55fb7a2
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/e55fb7a2
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/e55fb7a2
Branch: refs/heads/gssapi
Commit: e55fb7a2fa1a1c3b50b5c1651b98ce0b5bdce06b
Parents: 426d3ec
Author: plusplusjiajia <ji...@intel.com>
Authored: Fri May 13 15:55:59 2016 +0800
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 12:25:02 2017 +0100
----------------------------------------------------------------------
.../kerby/kerberos/kerb/request/ApRequest.java | 11 ++-
.../kerberos/kerb/gssapi/KerbyMechFactory.java | 9 +-
.../kerberos/kerb/gssapi/krb5/KerbyContext.java | 96 ++++++++++++++++++--
3 files changed, 98 insertions(+), 18 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/e55fb7a2/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java
index 096b0de..44f5b47 100644
--- a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java
@@ -89,8 +89,11 @@ public class ApRequest {
authenticator.setAuthenticatorVno(5);
authenticator.setCname(clientPrincipal);
authenticator.setCrealm(sgtTicket.getRealm());
- authenticator.setCtime(KerberosTime.now());
- authenticator.setCusec(0);
+ long millis = System.currentTimeMillis();
+ int usec = (int) (millis % 1000) * 1000;
+ millis -= millis % 1000;
+ authenticator.setCtime(new KerberosTime(millis));
+ authenticator.setCusec(usec);
authenticator.setSubKey(sgtTicket.getSessionKey());
return authenticator;
@@ -138,13 +141,13 @@ public class ApRequest {
}
if (timeSkew != 0) {
- if (authenticator.getCtime().isInClockSkew(timeSkew)) {
+ if (!authenticator.getCtime().isInClockSkew(timeSkew)) {
throw new KrbException(KrbErrorCode.KRB_AP_ERR_SKEW);
}
KerberosTime now = KerberosTime.now();
KerberosTime startTime = tktEncPart.getStartTime();
- if (startTime != null && startTime.greaterThanWithSkew(now, timeSkew)) {
+ if (startTime != null && !startTime.lessThanWithSkew(now, timeSkew)) {
throw new KrbException(KrbErrorCode.KRB_AP_ERR_TKT_NYV);
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/e55fb7a2/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/KerbyMechFactory.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/KerbyMechFactory.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/KerbyMechFactory.java
index a897c29..adacb27 100644
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/KerbyMechFactory.java
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/KerbyMechFactory.java
@@ -20,6 +20,7 @@
package org.apache.kerby.kerberos.kerb.gssapi;
import org.apache.kerby.kerberos.kerb.gssapi.krb5.KerbyAcceptCred;
+import org.apache.kerby.kerberos.kerb.gssapi.krb5.KerbyContext;
import org.apache.kerby.kerberos.kerb.gssapi.krb5.KerbyCredElement;
import org.apache.kerby.kerberos.kerb.gssapi.krb5.KerbyInitCred;
import org.apache.kerby.kerberos.kerb.gssapi.krb5.KerbyNameElement;
@@ -90,9 +91,7 @@ public class KerbyMechFactory implements MechanismFactory {
if (myInitiatorCred == null) {
myInitiatorCred = getCredentialElement(null, lifetime, 0, GSSCredential.INITIATE_ONLY);
}
- return null;
- //For convenience of making patch, return null instead of introduce in KerbyContext
- //return new KerbyContext(caller, (KerbyNameElement)peer, (KerbyInitCred)myInitiatorCred, lifetime);
+ return new KerbyContext(caller, (KerbyNameElement) peer, (KerbyInitCred) myInitiatorCred, lifetime);
}
public GSSContextSpi getMechanismContext(GSSCredentialSpi myAcceptorCred)
@@ -101,13 +100,13 @@ public class KerbyMechFactory implements MechanismFactory {
myAcceptorCred = getCredentialElement(null, 0,
GSSCredential.INDEFINITE_LIFETIME, GSSCredential.ACCEPT_ONLY);
}
- return null; //return new KerbyContext(caller, (KerbyAcceptCred)myAcceptorCred);
+ return new KerbyContext(caller, (KerbyAcceptCred) myAcceptorCred);
}
// Reconstruct from previously exported context
public GSSContextSpi getMechanismContext(byte[] exportedContext)
throws GSSException {
- return null; //return new KerbyContext(caller, exportedContext);
+ return new KerbyContext(caller, exportedContext);
}
public GSSCredentialSpi getCredentialElement(GSSNameSpi name,
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/e55fb7a2/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
index b450cc9..1496cac 100644
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
@@ -424,7 +424,8 @@ public class KerbyContext implements GSSContextSpi {
}
try {
- ApRequest.validate(serverKey, apReq, channelBinding.getInitiatorAddress(), 5 * 60 * 1000);
+ ApRequest.validate(serverKey, apReq,
+ channelBinding == null ? null : channelBinding.getInitiatorAddress(), 5 * 60 * 1000);
} catch (KrbException e) {
throw new GSSException(GSSException.UNAUTHORIZED, -1, "ApReq verification failed: " + e.getMessage());
}
@@ -476,7 +477,20 @@ public class KerbyContext implements GSSContextSpi {
if (ctxState != STATE_ESTABLISHED) {
throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for wrap");
}
- throw new GSSException(GSSException.UNAVAILABLE, -1, "Unsupported method"); // TODO: to be implemented
+
+ int len;
+ byte[] inBuf;
+ try {
+ len = is.available();
+ inBuf = new byte[len];
+ is.read(inBuf);
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Error when get user data:" + e.getMessage());
+ }
+ if (gssEncryptor.isV2()) {
+ WrapTokenV2 token = new WrapTokenV2(this, inBuf, 0, len, msgProp);
+ token.wrap(os);
+ }
}
public byte[] wrap(byte[] inBuf, int offset, int len,
@@ -484,12 +498,24 @@ public class KerbyContext implements GSSContextSpi {
if (ctxState != STATE_ESTABLISHED) {
throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for wrap");
}
- return null; // TODO: to be implemented
+ byte[] ret = null;
+ if (gssEncryptor.isV2()) {
+ WrapTokenV2 token = new WrapTokenV2(this, inBuf, offset, len, msgProp);
+ ret = token.wrap();
+ }
+ return ret;
}
public void unwrap(InputStream is, OutputStream os,
MessageProp msgProp) throws GSSException {
- throw new GSSException(GSSException.UNAVAILABLE, -1, "Unsupported method"); // TODO: to be implemented
+ if (ctxState != STATE_ESTABLISHED) {
+ throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for unwrap");
+ }
+
+ if (gssEncryptor.isV2()) {
+ WrapTokenV2 token = new WrapTokenV2(this, msgProp, is);
+ token.unwrap(os);
+ }
}
public byte[] unwrap(byte[] inBuf, int offset, int len,
@@ -497,30 +523,82 @@ public class KerbyContext implements GSSContextSpi {
if (ctxState != STATE_ESTABLISHED) {
throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for unwrap");
}
- return null; // TODO: to be implemented
+
+ byte[] ret = null;
+ if (gssEncryptor.isV2()) {
+ WrapTokenV2 token = new WrapTokenV2(this, msgProp, inBuf, offset, len);
+ ret = token.unwrap();
+ }
+ return ret;
}
public void getMIC(InputStream is, OutputStream os,
- MessageProp msgProp)
- throws GSSException {
+ MessageProp msgProp) throws GSSException {
+ if (ctxState != STATE_ESTABLISHED) {
+ throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for getMIC");
+ }
+
+ try {
+ int len = is.available();
+ byte[] inMsg = new byte[len];
+ is.read(inMsg);
+ if (gssEncryptor.isV2()) {
+ MicTokenV2 token = new MicTokenV2(this, inMsg, 0, len, msgProp);
+ token.getMic(os);
+ }
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Error when get user data in getMIC:" + e.getMessage());
+ }
}
public byte[] getMIC(byte[] inMsg, int offset, int len,
MessageProp msgProp) throws GSSException {
- return null; // TODO: to be implemented
+ if (ctxState != STATE_ESTABLISHED) {
+ throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for getMIC");
+ }
+
+ byte[] ret = null;
+ if (gssEncryptor.isV2()) {
+ MicTokenV2 token = new MicTokenV2(this, inMsg, offset, len, msgProp);
+ ret = token.getMic();
+ }
+ return ret;
}
public void verifyMIC(InputStream is, InputStream msgStr,
MessageProp msgProp) throws GSSException {
+ if (ctxState != STATE_ESTABLISHED) {
+ throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for verifyMIC");
+ }
+
+ try {
+ int tokLen = is.available();
+ byte[] inTok = new byte[tokLen];
+ int msgLen = msgStr.available();
+ byte[] inMsg = new byte[msgLen];
+
+ verifyMIC(inTok, 0, tokLen, inMsg, 0, msgLen, msgProp);
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1,
+ "Error when get user data in verifyMIC:" + e.getMessage());
+ }
}
public void verifyMIC(byte[]inTok, int tokOffset, int tokLen,
byte[] inMsg, int msgOffset, int msgLen,
MessageProp msgProp) throws GSSException {
+ if (ctxState != STATE_ESTABLISHED) {
+ throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for verifyMIC");
+ }
+
+ if (gssEncryptor.isV2()) {
+ MicTokenV2 token = new MicTokenV2(this, msgProp, inTok, tokOffset, tokLen);
+ token.verify(inMsg, msgOffset, msgLen);
+ }
}
public byte[] export() throws GSSException {
- throw new GSSException(GSSException.UNAVAILABLE, -1, "Unsupported export method");
+ throw new GSSException(GSSException.UNAVAILABLE, -1, "Unsupported export() method");
}
public void dispose() throws GSSException {
[48/50] [abbrv] directory-kerby git commit: Added some checks and did
some clean up
Posted by co...@apache.org.
Added some checks and did some clean up
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/4f50e851
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/4f50e851
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/4f50e851
Branch: refs/heads/gssapi
Commit: 4f50e8511d7f0989d21109a792a3495319fd1280
Parents: 62cf23d
Author: Kai Zheng <ka...@intel.com>
Authored: Sun Jun 12 23:34:15 2016 +0800
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 12:25:51 2017 +0100
----------------------------------------------------------------------
.../kerb/type/ad/AuthorizationType.java | 17 +++++----------
.../kerberos/kerb/type/base/EncryptionType.java | 2 +-
.../kerberos/kerb/type/base/HostAddrType.java | 4 ++--
.../kerby/kerberos/kerb/KrbInputStream.java | 22 +++++++++++++-------
.../kerb/ccache/CredCacheInputStream.java | 17 ++++++++++++---
.../kerby/kerberos/kerb/ccache/Credential.java | 1 -
.../kerberos/kerb/keytab/KeytabInputStream.java | 12 -----------
7 files changed, 37 insertions(+), 38 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/4f50e851/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/AuthorizationType.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/AuthorizationType.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/AuthorizationType.java
index 0135215..e6c40c4 100644
--- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/AuthorizationType.java
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/AuthorizationType.java
@@ -21,9 +21,6 @@ package org.apache.kerby.kerberos.kerb.type.ad;
import org.apache.kerby.asn1.EnumType;
-import java.util.HashMap;
-import java.util.Map;
-
/**
* The various AuthorizationType values, as defined in RFC 4120 and RFC 1510.
*
@@ -33,7 +30,7 @@ public enum AuthorizationType implements EnumType {
/**
* Constant for the "null" authorization type.
*/
- NULL(0),
+ NONE(0),
/**
* Constant for the "if relevant" authorization type.
@@ -315,8 +312,6 @@ public enum AuthorizationType implements EnumType {
/** The internal value */
private final int value;
- private static Map<Integer, AuthorizationType> valueMap;
-
/**
* Create a new enum
*/
@@ -348,15 +343,13 @@ public enum AuthorizationType implements EnumType {
*/
public static AuthorizationType fromValue(Integer value) {
if (value != null) {
- if (valueMap == null) {
- valueMap = new HashMap<Integer, AuthorizationType>(32);
- for (EnumType e : values()) {
- valueMap.put(e.getValue(), (AuthorizationType) e);
+ for (EnumType e : values()) {
+ if (e.getValue() == value) {
+ return (AuthorizationType) e;
}
}
- return valueMap.get(value);
}
- return NULL;
+ return NONE;
}
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/4f50e851/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/base/EncryptionType.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/base/EncryptionType.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/base/EncryptionType.java
index 86962de..24a4119 100644
--- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/base/EncryptionType.java
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/base/EncryptionType.java
@@ -131,7 +131,7 @@ public enum EncryptionType implements EnumType {
if (name != null) {
for (EncryptionType e : values()) {
if (e.getName().equals(name)) {
- return (EncryptionType) e;
+ return e;
}
}
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/4f50e851/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/base/HostAddrType.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/base/HostAddrType.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/base/HostAddrType.java
index 21ae885..30501c5 100644
--- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/base/HostAddrType.java
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/base/HostAddrType.java
@@ -30,7 +30,7 @@ public enum HostAddrType implements EnumType {
/**
* Constant for the "null" host address type.
*/
- NULL(0),
+ NONE(0),
/**
* Constant for the "Internet" host address type.
@@ -120,6 +120,6 @@ public enum HostAddrType implements EnumType {
}
}
- return NULL;
+ return HostAddrType.NONE;
}
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/4f50e851/kerby-kerb/kerb-util/src/main/java/org/apache/kerby/kerberos/kerb/KrbInputStream.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-util/src/main/java/org/apache/kerby/kerberos/kerb/KrbInputStream.java b/kerby-kerb/kerb-util/src/main/java/org/apache/kerby/kerberos/kerb/KrbInputStream.java
index 3dac9bf..9611fe0 100644
--- a/kerby-kerb/kerb-util/src/main/java/org/apache/kerby/kerberos/kerb/KrbInputStream.java
+++ b/kerby-kerb/kerb-util/src/main/java/org/apache/kerby/kerberos/kerb/KrbInputStream.java
@@ -42,20 +42,25 @@ public abstract class KrbInputStream extends DataInputStream {
public abstract PrincipalName readPrincipal(int version) throws IOException;
- public EncryptionKey readKey(int version) throws IOException {
+ public EncryptionKey readKey() throws IOException {
int eType = readShort();
- EncryptionType encryptionType = EncryptionType.fromValue(eType);
-
+ EncryptionType encType = EncryptionType.fromValue(eType);
byte[] keyData = readCountedOctets();
- EncryptionKey key = new EncryptionKey(encryptionType, keyData);
+ if (encType == EncryptionType.NONE || keyData == null) {
+ return null;
+ }
+ EncryptionKey key = new EncryptionKey(encType, keyData);
return key;
}
public String readCountedString() throws IOException {
byte[] countedOctets = readCountedOctets();
- // ASCII
- return new String(countedOctets, StandardCharsets.UTF_8);
+ if (countedOctets != null) {
+ // ASCII
+ return new String(countedOctets, StandardCharsets.UTF_8);
+ }
+ return null;
}
public byte[] readCountedOctets() throws IOException {
@@ -63,10 +68,13 @@ public abstract class KrbInputStream extends DataInputStream {
if (len == 0) {
return null;
}
+ if (len < 0 || len > available()) {
+ throw new IOException("Unexpected octets len: " + len);
+ }
byte[] data = new byte[len];
if (read(data) == -1) {
- throw new IOException();
+ throw new IOException("Unexpected end of stream");
}
return data;
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/4f50e851/kerby-kerb/kerb-util/src/main/java/org/apache/kerby/kerberos/kerb/ccache/CredCacheInputStream.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-util/src/main/java/org/apache/kerby/kerberos/kerb/ccache/CredCacheInputStream.java b/kerby-kerb/kerb-util/src/main/java/org/apache/kerby/kerberos/kerb/ccache/CredCacheInputStream.java
index ea52156..dded504 100644
--- a/kerby-kerb/kerb-util/src/main/java/org/apache/kerby/kerberos/kerb/ccache/CredCacheInputStream.java
+++ b/kerby-kerb/kerb-util/src/main/java/org/apache/kerby/kerberos/kerb/ccache/CredCacheInputStream.java
@@ -73,10 +73,10 @@ public class CredCacheInputStream extends KrbInputStream {
public EncryptionKey readKey(int version) throws IOException {
if (version == CredentialCache.FCC_FVNO_3) {
- readShort(); // ignore keytype
+ readShort(); // ignore keytype
}
- return super.readKey(version);
+ return super.readKey();
}
public KerberosTime[] readTimes() throws IOException {
@@ -113,8 +113,13 @@ public class CredCacheInputStream extends KrbInputStream {
public HostAddress readAddress() throws IOException {
int typeValue = readShort();
HostAddrType addrType = HostAddrType.fromValue(typeValue);
+ if (addrType == HostAddrType.NONE) {
+ throw new IOException("Invalid host address type");
+ }
byte[] addrData = readCountedOctets();
-
+ if (addrData == null) {
+ throw new IOException("Invalid host address data");
+ }
HostAddress addr = new HostAddress();
addr.setAddrType(addrType);
addr.setAddress(addrData);
@@ -141,7 +146,13 @@ public class CredCacheInputStream extends KrbInputStream {
public AuthorizationDataEntry readAuthzDataEntry() throws IOException {
int typeValue = readShort();
AuthorizationType authzType = AuthorizationType.fromValue(typeValue);
+ if (authzType == AuthorizationType.NONE) {
+ throw new IOException("Invalid authorization data type");
+ }
byte[] authzData = readCountedOctets();
+ if (authzData == null) {
+ throw new IOException("Invalid authorization data");
+ }
AuthorizationDataEntry authzEntry = new AuthorizationDataEntry();
authzEntry.setAuthzType(authzType);
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/4f50e851/kerby-kerb/kerb-util/src/main/java/org/apache/kerby/kerberos/kerb/ccache/Credential.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-util/src/main/java/org/apache/kerby/kerberos/kerb/ccache/Credential.java b/kerby-kerb/kerb-util/src/main/java/org/apache/kerby/kerberos/kerb/ccache/Credential.java
index c29c8bd..03484dc 100644
--- a/kerby-kerb/kerb-util/src/main/java/org/apache/kerby/kerberos/kerb/ccache/Credential.java
+++ b/kerby-kerb/kerb-util/src/main/java/org/apache/kerby/kerberos/kerb/ccache/Credential.java
@@ -175,7 +175,6 @@ public class Credential {
if (serverName.getRealm().equals(CONF_REALM)) {
isConfEntry = true;
}
-
this.key = ccis.readKey(version);
KerberosTime[] times = ccis.readTimes();
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/4f50e851/kerby-kerb/kerb-util/src/main/java/org/apache/kerby/kerberos/kerb/keytab/KeytabInputStream.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-util/src/main/java/org/apache/kerby/kerberos/kerb/keytab/KeytabInputStream.java b/kerby-kerb/kerb-util/src/main/java/org/apache/kerby/kerberos/kerb/keytab/KeytabInputStream.java
index 2e52b9c..111ad14 100644
--- a/kerby-kerb/kerb-util/src/main/java/org/apache/kerby/kerberos/kerb/keytab/KeytabInputStream.java
+++ b/kerby-kerb/kerb-util/src/main/java/org/apache/kerby/kerberos/kerb/keytab/KeytabInputStream.java
@@ -21,8 +21,6 @@ package org.apache.kerby.kerberos.kerb.keytab;
import org.apache.kerby.kerberos.kerb.KrbInputStream;
import org.apache.kerby.kerberos.kerb.type.KerberosTime;
-import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
-import org.apache.kerby.kerberos.kerb.type.base.EncryptionType;
import org.apache.kerby.kerberos.kerb.type.base.NameType;
import org.apache.kerby.kerberos.kerb.type.base.PrincipalName;
@@ -64,16 +62,6 @@ public class KeytabInputStream extends KrbInputStream {
return principal;
}
- public EncryptionKey readKey() throws IOException {
- int eType = readShort();
- EncryptionType encryptionType = EncryptionType.fromValue(eType);
-
- byte[] keyData = readCountedOctets();
- EncryptionKey key = new EncryptionKey(encryptionType, keyData);
-
- return key;
- }
-
@Override
public int readOctetsCount() throws IOException {
return readShort();
[37/50] [abbrv] directory-kerby git commit: Make it easier to pass
custom tokens through via KrbToken. Currently, the code is tied to "KrbToken",
which enforces the use of encoders/decoders.
Posted by co...@apache.org.
Make it easier to pass custom tokens through via KrbToken.
Currently, the code is tied to "KrbToken", which enforces the use of encoders/decoders.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/56f69587
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/56f69587
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/56f69587
Branch: refs/heads/gssapi
Commit: 56f69587c733ed88802aa75559f66417f2e1373d
Parents: a2beb88
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Thu Jun 16 12:12:55 2016 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 12:25:51 2017 +0100
----------------------------------------------------------------------
.../kerb/client/preauth/token/TokenPreauth.java | 4 +-
.../kerby/kerberos/kerb/type/base/KrbToken.java | 64 +------------
.../kerberos/kerb/type/base/KrbTokenBase.java | 97 ++++++++++++++++++++
.../kerb/type/pa/token/PaTokenRequest.java | 10 +-
.../kerb/server/preauth/token/TokenPreauth.java | 4 +-
5 files changed, 108 insertions(+), 71 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/56f69587/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenPreauth.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenPreauth.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenPreauth.java
index 15f9874..0830f20 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenPreauth.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenPreauth.java
@@ -36,7 +36,7 @@ import org.apache.kerby.kerberos.kerb.type.base.AuthToken;
import org.apache.kerby.kerberos.kerb.type.base.EncryptedData;
import org.apache.kerby.kerberos.kerb.type.base.EncryptionType;
import org.apache.kerby.kerberos.kerb.type.base.KeyUsage;
-import org.apache.kerby.kerberos.kerb.type.base.KrbToken;
+import org.apache.kerby.kerberos.kerb.type.base.KrbTokenBase;
import org.apache.kerby.kerberos.kerb.type.pa.PaData;
import org.apache.kerby.kerberos.kerb.type.pa.PaDataEntry;
import org.apache.kerby.kerberos.kerb.type.pa.PaDataType;
@@ -187,7 +187,7 @@ public class TokenPreauth extends AbstractPreauthPlugin {
}
PaTokenRequest tokenPa = new PaTokenRequest();
- tokenPa.setToken((KrbToken) authToken);
+ tokenPa.setToken((KrbTokenBase) authToken);
TokenInfo info = new TokenInfo();
info.setTokenVendor(authToken.getIssuer());
tokenPa.setTokenInfo(info);
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/56f69587/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/base/KrbToken.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/base/KrbToken.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/base/KrbToken.java
index 597d531..68d3a3b 100644
--- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/base/KrbToken.java
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/base/KrbToken.java
@@ -23,17 +23,11 @@ import java.util.Date;
import java.util.List;
import java.util.Map;
-import org.apache.kerby.asn1.Asn1FieldInfo;
-import org.apache.kerby.asn1.EnumType;
-import org.apache.kerby.asn1.ExplicitField;
-import org.apache.kerby.asn1.type.Asn1Integer;
-import org.apache.kerby.asn1.type.Asn1OctetString;
import org.apache.kerby.kerberos.kerb.KrbConstant;
import org.apache.kerby.kerberos.kerb.KrbException;
import org.apache.kerby.kerberos.kerb.KrbRuntime;
import org.apache.kerby.kerberos.kerb.provider.TokenDecoder;
import org.apache.kerby.kerberos.kerb.provider.TokenEncoder;
-import org.apache.kerby.kerberos.kerb.type.KrbSequenceType;
/**
* KRB-TOKEN_VALUE ::= SEQUENCE {
@@ -41,38 +35,17 @@ import org.apache.kerby.kerberos.kerb.type.KrbSequenceType;
* token-value [1] OCTET STRING,
* }
*/
-public class KrbToken extends KrbSequenceType implements AuthToken {
+public class KrbToken extends KrbTokenBase implements AuthToken {
private static TokenEncoder tokenEncoder;
private static TokenDecoder tokenDecoder;
- protected enum KrbTokenField implements EnumType {
- TOKEN_FORMAT,
- TOKEN_VALUE;
-
- @Override
- public int getValue() {
- return ordinal();
- }
-
- @Override
- public String getName() {
- return name();
- }
- }
-
private AuthToken innerToken = null;
- static Asn1FieldInfo[] fieldInfos = new Asn1FieldInfo[]{
- new ExplicitField(KrbTokenField.TOKEN_FORMAT, Asn1Integer.class),
- new ExplicitField(KrbTokenField.TOKEN_VALUE, Asn1OctetString.class)
- };
-
-
/**
* Default constructor.
*/
public KrbToken() {
- super(fieldInfos);
+ super();
}
/**
@@ -149,39 +122,6 @@ public class KrbToken extends KrbSequenceType implements AuthToken {
}
/**
- * Get token format.
- * @return The token format
- */
- public TokenFormat getTokenFormat() {
- Integer value = getFieldAsInteger(KrbTokenField.TOKEN_FORMAT);
- return TokenFormat.fromValue(value);
- }
-
- /**
- * Set token format.
- * @param tokenFormat The token format
- */
- public void setTokenFormat(TokenFormat tokenFormat) {
- setFieldAsInt(KrbTokenField.TOKEN_FORMAT, tokenFormat.getValue());
- }
-
- /**
- * Get token value.
- * @return The token value
- */
- public byte[] getTokenValue() {
- return getFieldAsOctets(KrbTokenField.TOKEN_VALUE);
- }
-
- /**
- * Set token value.
- * @param tokenValue The token value
- */
- public void setTokenValue(byte[] tokenValue) {
- setFieldAsOctets(KrbTokenField.TOKEN_VALUE, tokenValue);
- }
-
- /**
* {@inheritDoc}
*/
@Override
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/56f69587/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/base/KrbTokenBase.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/base/KrbTokenBase.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/base/KrbTokenBase.java
new file mode 100644
index 0000000..ddca54e
--- /dev/null
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/base/KrbTokenBase.java
@@ -0,0 +1,97 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.type.base;
+
+import org.apache.kerby.asn1.Asn1FieldInfo;
+import org.apache.kerby.asn1.EnumType;
+import org.apache.kerby.asn1.ExplicitField;
+import org.apache.kerby.asn1.type.Asn1Integer;
+import org.apache.kerby.asn1.type.Asn1OctetString;
+import org.apache.kerby.kerberos.kerb.type.KrbSequenceType;
+
+/**
+ * KRB-TOKEN_VALUE ::= SEQUENCE {
+ * token-format [0] INTEGER,
+ * token-value [1] OCTET STRING,
+ * }
+ */
+public class KrbTokenBase extends KrbSequenceType {
+
+ protected enum KrbTokenField implements EnumType {
+ TOKEN_FORMAT,
+ TOKEN_VALUE;
+
+ @Override
+ public int getValue() {
+ return ordinal();
+ }
+
+ @Override
+ public String getName() {
+ return name();
+ }
+ }
+
+ static Asn1FieldInfo[] fieldInfos = new Asn1FieldInfo[]{
+ new ExplicitField(KrbTokenField.TOKEN_FORMAT, Asn1Integer.class),
+ new ExplicitField(KrbTokenField.TOKEN_VALUE, Asn1OctetString.class)
+ };
+
+ /**
+ * Default constructor.
+ */
+ public KrbTokenBase() {
+ super(fieldInfos);
+ }
+
+ /**
+ * Get token format.
+ * @return The token format
+ */
+ public TokenFormat getTokenFormat() {
+ Integer value = getFieldAsInteger(KrbTokenField.TOKEN_FORMAT);
+ return TokenFormat.fromValue(value);
+ }
+
+ /**
+ * Set token format.
+ * @param tokenFormat The token format
+ */
+ public void setTokenFormat(TokenFormat tokenFormat) {
+ setFieldAsInt(KrbTokenField.TOKEN_FORMAT, tokenFormat.getValue());
+ }
+
+ /**
+ * Get token value.
+ * @return The token value
+ */
+ public byte[] getTokenValue() {
+ return getFieldAsOctets(KrbTokenField.TOKEN_VALUE);
+ }
+
+ /**
+ * Set token value.
+ * @param tokenValue The token value
+ */
+ public void setTokenValue(byte[] tokenValue) {
+ setFieldAsOctets(KrbTokenField.TOKEN_VALUE, tokenValue);
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/56f69587/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/token/PaTokenRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/token/PaTokenRequest.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/token/PaTokenRequest.java
index 7819f16..b0dab16 100644
--- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/token/PaTokenRequest.java
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/token/PaTokenRequest.java
@@ -23,7 +23,7 @@ import org.apache.kerby.asn1.Asn1FieldInfo;
import org.apache.kerby.asn1.EnumType;
import org.apache.kerby.asn1.ExplicitField;
import org.apache.kerby.kerberos.kerb.type.KrbSequenceType;
-import org.apache.kerby.kerberos.kerb.type.base.KrbToken;
+import org.apache.kerby.kerberos.kerb.type.base.KrbTokenBase;
/**
PA-TOKEN-REQUEST ::= SEQUENCE {
@@ -49,18 +49,18 @@ public class PaTokenRequest extends KrbSequenceType {
static Asn1FieldInfo[] fieldInfos = new Asn1FieldInfo[] {
new ExplicitField(PaTokenRequestField.TOKEN_INFO, TokenInfo.class),
- new ExplicitField(PaTokenRequestField.TOKEN, KrbToken.class)
+ new ExplicitField(PaTokenRequestField.TOKEN, KrbTokenBase.class)
};
public PaTokenRequest() {
super(fieldInfos);
}
- public KrbToken getToken() {
- return getFieldAs(PaTokenRequestField.TOKEN, KrbToken.class);
+ public KrbTokenBase getToken() {
+ return getFieldAs(PaTokenRequestField.TOKEN, KrbTokenBase.class);
}
- public void setToken(KrbToken token) {
+ public void setToken(KrbTokenBase token) {
setFieldAs(PaTokenRequestField.TOKEN, token);
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/56f69587/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
index 34fec85..5abca91 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
@@ -37,7 +37,7 @@ import org.apache.kerby.kerberos.kerb.type.base.AuthToken;
import org.apache.kerby.kerberos.kerb.type.base.EncryptedData;
import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
import org.apache.kerby.kerberos.kerb.type.base.KeyUsage;
-import org.apache.kerby.kerberos.kerb.type.base.KrbToken;
+import org.apache.kerby.kerberos.kerb.type.base.KrbTokenBase;
import org.apache.kerby.kerberos.kerb.type.base.PrincipalName;
import org.apache.kerby.kerberos.kerb.type.pa.PaDataEntry;
import org.apache.kerby.kerberos.kerb.type.pa.PaDataType;
@@ -75,7 +75,7 @@ public class TokenPreauth extends AbstractPreauthPlugin {
PaTokenRequest paTokenRequest = EncryptionUtil.unseal(encData, clientKey,
KeyUsage.PA_TOKEN, PaTokenRequest.class);
- KrbToken token = paTokenRequest.getToken();
+ KrbTokenBase token = paTokenRequest.getToken();
List<String> issuers = kdcRequest.getKdcContext().getConfig().getIssuers();
TokenInfo tokenInfo = paTokenRequest.getTokenInfo();
String issuer = tokenInfo.getTokenVendor();
[16/50] [abbrv] directory-kerby git commit: DIRKRB-562 KDC virtual
memory used increases with the requestes processed. Contributed by Wei.
Posted by co...@apache.org.
DIRKRB-562 KDC virtual memory used increases with the requestes processed. Contributed by Wei.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/b9a11ae0
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/b9a11ae0
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/b9a11ae0
Branch: refs/heads/gssapi
Commit: b9a11ae0449cab835fa5e2f9a3d7cfb155dfa886
Parents: 5cb6d17
Author: plusplusjiajia <ji...@intel.com>
Authored: Wed May 4 09:28:29 2016 +0800
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 12:25:02 2017 +0100
----------------------------------------------------------------------
.../java/org/apache/kerby/kerberos/kdc/impl/NettyKdcNetwork.java | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/b9a11ae0/kerby-kdc/src/main/java/org/apache/kerby/kerberos/kdc/impl/NettyKdcNetwork.java
----------------------------------------------------------------------
diff --git a/kerby-kdc/src/main/java/org/apache/kerby/kerberos/kdc/impl/NettyKdcNetwork.java b/kerby-kdc/src/main/java/org/apache/kerby/kerberos/kdc/impl/NettyKdcNetwork.java
index 86160a9..cfa4adb 100644
--- a/kerby-kdc/src/main/java/org/apache/kerby/kerberos/kdc/impl/NettyKdcNetwork.java
+++ b/kerby-kdc/src/main/java/org/apache/kerby/kerberos/kdc/impl/NettyKdcNetwork.java
@@ -51,6 +51,7 @@ public class NettyKdcNetwork {
private EventLoopGroup bossGroup;
private EventLoopGroup workerGroup;
private EventLoopGroup group;
+ private DefaultEventExecutorGroup executorGroup;
private static final Logger LOG = LoggerFactory.getLogger(NettyKdcNetwork.class);
public void init(KdcContext kdcContext) {
@@ -58,6 +59,7 @@ public class NettyKdcNetwork {
// Configure the server.
bossGroup = new NioEventLoopGroup(1);
workerGroup = new NioEventLoopGroup();
+ executorGroup = new DefaultEventExecutorGroup(10); //TODO: to configure.
}
public void listen(InetSocketAddress tcpAddress,
@@ -110,7 +112,7 @@ public class NettyKdcNetwork {
public void initChannel(SocketChannel ch) throws Exception {
ChannelPipeline p = ch.pipeline();
p.addLast(new KrbMessageDecoder());
- p.addLast(new DefaultEventExecutorGroup(10), //TODO: to configure.
+ p.addLast(executorGroup,
"KDC_HANDLER",
new NettyKdcHandler(kdcContext));
}
[42/50] [abbrv] directory-kerby git commit: Fixing warnings
Posted by co...@apache.org.
Fixing warnings
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/cc5c33a6
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/cc5c33a6
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/cc5c33a6
Branch: refs/heads/gssapi
Commit: cc5c33a6755db648dbfc809b4981f56b4de5095b
Parents: 56f6958
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Jun 17 11:42:51 2016 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 12:25:51 2017 +0100
----------------------------------------------------------------------
.../kerb/server/preauth/pkinit/PkinitPreauth.java | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/cc5c33a6/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/pkinit/PkinitPreauth.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/pkinit/PkinitPreauth.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/pkinit/PkinitPreauth.java
index fa93780..f0080c9 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/pkinit/PkinitPreauth.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/pkinit/PkinitPreauth.java
@@ -252,7 +252,7 @@ public class PkinitPreauth extends AbstractPreauthPlugin {
String identity = pkinitContext.identityOpts.identity;
- PaPkAsRep paPkAsRep = makePaPkAsRep(pkinitContext.cryptoctx, serverPubKey, identity);
+ PaPkAsRep paPkAsRep = makePaPkAsRep(serverPubKey, identity);
PaDataEntry paDataEntry = makeEntry(paPkAsRep);
kdcRequest.getPreauthContext().getOutputPaData().add(paDataEntry);
@@ -300,16 +300,14 @@ public class PkinitPreauth extends AbstractPreauthPlugin {
return paDataEntry;
}
- private PaPkAsRep makePaPkAsRep(PkinitPlgCryptoContext cryptoContext,
- DHPublicKey severPubKey, String identityString) throws KrbException {
+ private PaPkAsRep makePaPkAsRep(DHPublicKey severPubKey, String identityString) throws KrbException {
List<String> identityList = Arrays.asList(identityString.split(","));
List<X509Certificate> certificates = new ArrayList<>();
for (String identity : identityList) {
File file = new File(identity);
- try {
- Scanner scanner = new Scanner(file, "UTF-8");
+ try (Scanner scanner = new Scanner(file, "UTF-8")) {
String found = scanner.findInLine("CERTIFICATE");
if (found != null) {
@@ -353,7 +351,7 @@ public class PkinitPreauth extends AbstractPreauthPlugin {
certificateSet.addElement(certificateChoices);
}
- String oid = cryptoContext.getIdPkinitDHKeyDataOID();
+ String oid = PkinitPlgCryptoContext.getIdPkinitDHKeyDataOID();
signedDataBytes = PkinitCrypto.cmsSignedDataCreate(KrbCodec.encode(kdcDhKeyInfo), oid, 3, null,
null, null, null);
[25/50] [abbrv] directory-kerby git commit: Rename the templete conf
file name.
Posted by co...@apache.org.
Rename the templete conf file name.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/7005d517
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/7005d517
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/7005d517
Branch: refs/heads/gssapi
Commit: 7005d5171a8b3b620ac0c87a76463005a28914b3
Parents: cc050f0
Author: plusplusjiajia <ji...@intel.com>
Authored: Mon Jun 6 10:01:04 2016 +0800
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 12:25:51 2017 +0100
----------------------------------------------------------------------
.../kerby/kerberos/kerb/client/Krb5Conf.java | 2 +-
.../src/main/resources/krb5-template.conf | 29 ++++++++++++++++++++
.../kerb-simplekdc/src/main/resources/krb5.conf | 29 --------------------
.../src/main/resources/krb5_udp-template.conf | 29 ++++++++++++++++++++
.../src/main/resources/krb5_udp.conf | 29 --------------------
5 files changed, 59 insertions(+), 59 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/7005d517/kerby-kerb/kerb-simplekdc/src/main/java/org/apache/kerby/kerberos/kerb/client/Krb5Conf.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-simplekdc/src/main/java/org/apache/kerby/kerberos/kerb/client/Krb5Conf.java b/kerby-kerb/kerb-simplekdc/src/main/java/org/apache/kerby/kerberos/kerb/client/Krb5Conf.java
index dc47652..23fea52 100644
--- a/kerby-kerb/kerb-simplekdc/src/main/java/org/apache/kerby/kerberos/kerb/client/Krb5Conf.java
+++ b/kerby-kerb/kerb-simplekdc/src/main/java/org/apache/kerby/kerberos/kerb/client/Krb5Conf.java
@@ -49,7 +49,7 @@ public class Krb5Conf {
private File generateConfFile() throws IOException {
KdcSetting setting = kdcServer.getKdcSetting();
- String resourcePath = setting.allowUdp() ? "/krb5_udp.conf" : "/krb5.conf";
+ String resourcePath = setting.allowUdp() ? "/krb5_udp-template.conf" : "/krb5-template.conf";
InputStream templateResource = getClass().getResourceAsStream(resourcePath);
String templateContent = IOUtil.readInput(templateResource);
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/7005d517/kerby-kerb/kerb-simplekdc/src/main/resources/krb5-template.conf
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-simplekdc/src/main/resources/krb5-template.conf b/kerby-kerb/kerb-simplekdc/src/main/resources/krb5-template.conf
new file mode 100644
index 0000000..0954538
--- /dev/null
+++ b/kerby-kerb/kerb-simplekdc/src/main/resources/krb5-template.conf
@@ -0,0 +1,29 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+[libdefaults]
+ kdc_realm = _REALM_
+ default_realm = _REALM_
+ udp_preference_limit = _UDP_LIMIT_
+ #_KDC_TCP_PORT_
+ #_KDC_UDP_PORT_
+
+[realms]
+ _REALM_ = {
+ kdc = localhost:_KDC_PORT_
+ }
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/7005d517/kerby-kerb/kerb-simplekdc/src/main/resources/krb5.conf
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-simplekdc/src/main/resources/krb5.conf b/kerby-kerb/kerb-simplekdc/src/main/resources/krb5.conf
deleted file mode 100644
index 0954538..0000000
--- a/kerby-kerb/kerb-simplekdc/src/main/resources/krb5.conf
+++ /dev/null
@@ -1,29 +0,0 @@
-#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-[libdefaults]
- kdc_realm = _REALM_
- default_realm = _REALM_
- udp_preference_limit = _UDP_LIMIT_
- #_KDC_TCP_PORT_
- #_KDC_UDP_PORT_
-
-[realms]
- _REALM_ = {
- kdc = localhost:_KDC_PORT_
- }
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/7005d517/kerby-kerb/kerb-simplekdc/src/main/resources/krb5_udp-template.conf
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-simplekdc/src/main/resources/krb5_udp-template.conf b/kerby-kerb/kerb-simplekdc/src/main/resources/krb5_udp-template.conf
new file mode 100644
index 0000000..0954538
--- /dev/null
+++ b/kerby-kerb/kerb-simplekdc/src/main/resources/krb5_udp-template.conf
@@ -0,0 +1,29 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+[libdefaults]
+ kdc_realm = _REALM_
+ default_realm = _REALM_
+ udp_preference_limit = _UDP_LIMIT_
+ #_KDC_TCP_PORT_
+ #_KDC_UDP_PORT_
+
+[realms]
+ _REALM_ = {
+ kdc = localhost:_KDC_PORT_
+ }
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/7005d517/kerby-kerb/kerb-simplekdc/src/main/resources/krb5_udp.conf
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-simplekdc/src/main/resources/krb5_udp.conf b/kerby-kerb/kerb-simplekdc/src/main/resources/krb5_udp.conf
deleted file mode 100644
index 0954538..0000000
--- a/kerby-kerb/kerb-simplekdc/src/main/resources/krb5_udp.conf
+++ /dev/null
@@ -1,29 +0,0 @@
-#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-[libdefaults]
- kdc_realm = _REALM_
- default_realm = _REALM_
- udp_preference_limit = _UDP_LIMIT_
- #_KDC_TCP_PORT_
- #_KDC_UDP_PORT_
-
-[realms]
- _REALM_ = {
- kdc = localhost:_KDC_PORT_
- }
\ No newline at end of file
[41/50] [abbrv] directory-kerby git commit: DIRKRB-586 - NPE in
KdcHandler on an Exception
Posted by co...@apache.org.
DIRKRB-586 - NPE in KdcHandler on an Exception
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/cdb20f15
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/cdb20f15
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/cdb20f15
Branch: refs/heads/gssapi
Commit: cdb20f153de6ab099dd1dfae6cc1b58f50fff9c7
Parents: 28be4b6
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Wed Jun 15 17:19:59 2016 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 12:25:51 2017 +0100
----------------------------------------------------------------------
.../java/org/apache/kerby/kerberos/kerb/server/KdcHandler.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/cdb20f15/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcHandler.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcHandler.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcHandler.java
index 8a1a21a..d04a306 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcHandler.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcHandler.java
@@ -140,7 +140,7 @@ public class KdcHandler {
serverPrincipal.setRealm(kdcRequest.getKdcReq().getReqBody().getRealm());
krbError.setSname(serverPrincipal);
}
- if (e.getKrbErrorCode().equals(KrbErrorCode.KRB_AP_ERR_BAD_INTEGRITY)) {
+ if (KrbErrorCode.KRB_AP_ERR_BAD_INTEGRITY.equals(e.getKrbErrorCode())) {
krbError.setEtext("PREAUTH_FAILED");
} else {
krbError.setEtext(e.getMessage());
[38/50] [abbrv] directory-kerby git commit: DIRKRB-577 Improve for
better latency measuring in kerby KDC. Contributed by Qing.
Posted by co...@apache.org.
DIRKRB-577 Improve for better latency measuring in kerby KDC. Contributed by Qing.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/cc050f05
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/cc050f05
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/cc050f05
Branch: refs/heads/gssapi
Commit: cc050f055460678ea3102b0da89d313cd4f5a391
Parents: 8a7e206
Author: plusplusjiajia <ji...@intel.com>
Authored: Fri Jun 3 16:21:06 2016 +0800
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 12:25:51 2017 +0100
----------------------------------------------------------------------
.../kerberos/tool/kinit/KinitToolWithConcurrence.java | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/cc050f05/kerby-tool/client-tool/src/main/java/org/apache/kerby/kerberos/tool/kinit/KinitToolWithConcurrence.java
----------------------------------------------------------------------
diff --git a/kerby-tool/client-tool/src/main/java/org/apache/kerby/kerberos/tool/kinit/KinitToolWithConcurrence.java b/kerby-tool/client-tool/src/main/java/org/apache/kerby/kerberos/tool/kinit/KinitToolWithConcurrence.java
index 7427307..08bbb8f 100644
--- a/kerby-tool/client-tool/src/main/java/org/apache/kerby/kerberos/tool/kinit/KinitToolWithConcurrence.java
+++ b/kerby-tool/client-tool/src/main/java/org/apache/kerby/kerberos/tool/kinit/KinitToolWithConcurrence.java
@@ -234,7 +234,7 @@ public class KinitToolWithConcurrence {
Long now = System.currentTimeMillis();
for (int j = 0; j < threadNumbers; j++) {
- delayNumbers[j] = reList[j * INTERVAL] - delayNumbers[j];
+ delayNumbers[j] = reList[j * INTERVAL] - tempDelayNumbers[j];
tempDelayNumbers[j] = reList[j * INTERVAL];
}
@@ -243,7 +243,8 @@ public class KinitToolWithConcurrence {
}
float res = (now - startTime) / 1000;
- int totalDelay = 0;
+ double totalDelay = 0.0;
+ int cutThreads = 0;
for (int j = 0; j < threadNumbers; j++) {
if (delayNumbers[j] != 0) {
if (delayNumbers[max] < delayNumbers[j]) {
@@ -252,12 +253,14 @@ public class KinitToolWithConcurrence {
if (delayNumbers[min] == 0 || delayNumbers[min] > delayNumbers[j]) {
min = j;
}
- totalDelay += (now - startTime) / delayNumbers[j];
+ totalDelay += (now - startTime) * 1.0 / delayNumbers[j];
+ } else {
+ cutThreads += 1;
}
}
if (delayNumbers[min] != 0 && delayNumbers[max] != 0) {
System.out.println((now - timeStamp) / 1000 + "," + (temp - tmpTotals) / res
- + "," + totalDelay / threadNumbers
+ + "," + (int) (totalDelay / (threadNumbers - cutThreads))
+ "," + (now - startTime) / delayNumbers[min] + "," + (now - startTime) / delayNumbers[max]);
}
[09/50] [abbrv] directory-kerby git commit: DIRKRB-412 Update NOTICE
file with required attributions of used dependencies.
Posted by co...@apache.org.
DIRKRB-412 Update NOTICE file with required attributions of used dependencies.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/2d5b3d09
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/2d5b3d09
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/2d5b3d09
Branch: refs/heads/gssapi
Commit: 2d5b3d09bac0af87fcd505c8a1d9dc8e522aefbb
Parents: 71becf7
Author: plusplusjiajia <ji...@intel.com>
Authored: Tue May 24 16:21:39 2016 +0800
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 12:25:02 2017 +0100
----------------------------------------------------------------------
NOTICE.txt | 10 ++++++++++
1 file changed, 10 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/2d5b3d09/NOTICE.txt
----------------------------------------------------------------------
diff --git a/NOTICE.txt b/NOTICE.txt
new file mode 100644
index 0000000..5d797ab
--- /dev/null
+++ b/NOTICE.txt
@@ -0,0 +1,10 @@
+Apache Kerby
+Copyright 2015 The Apache Software Foundation
+
+This product includes software developed at
+The Apache Software Foundation (http://www.apache.org/).
+
+
+This product includes/uses SLF4J (http://www.slf4j.org/)
+
+This product includes/uses JUnit (http://www.junit.org/
\ No newline at end of file
[23/50] [abbrv] directory-kerby git commit: DIRKRB-576 Add test for
client-server based on Kerby GssApi. Contributed by Wei.
Posted by co...@apache.org.
DIRKRB-576 Add test for client-server based on Kerby GssApi. Contributed by Wei.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/8a7e2069
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/8a7e2069
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/8a7e2069
Branch: refs/heads/gssapi
Commit: 8a7e20692a1181e6c09d611bc16c658ae740af37
Parents: b5abed0
Author: plusplusjiajia <ji...@intel.com>
Authored: Thu Jun 2 14:13:18 2016 +0800
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 12:25:51 2017 +0100
----------------------------------------------------------------------
kerby-kerb/integration-test/pom.xml | 5 +++
.../kerb/integration/test/KerbyGssAppTest.java | 41 ++++++++++++++++++++
2 files changed, 46 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8a7e2069/kerby-kerb/integration-test/pom.xml
----------------------------------------------------------------------
diff --git a/kerby-kerb/integration-test/pom.xml b/kerby-kerb/integration-test/pom.xml
index efc11aa..b091d30 100644
--- a/kerby-kerb/integration-test/pom.xml
+++ b/kerby-kerb/integration-test/pom.xml
@@ -55,5 +55,10 @@
<version>${slf4j.version}</version>
<scope>test</scope>
</dependency>
+ <dependency>
+ <groupId>org.apache.kerby</groupId>
+ <artifactId>kerb-gssapi</artifactId>
+ <version>${project.version}</version>
+ </dependency>
</dependencies>
</project>
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8a7e2069/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/KerbyGssAppTest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/KerbyGssAppTest.java b/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/KerbyGssAppTest.java
new file mode 100644
index 0000000..d9030df
--- /dev/null
+++ b/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/KerbyGssAppTest.java
@@ -0,0 +1,41 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.integration.test;
+
+import org.junit.Before;
+import org.junit.Test;
+
+import java.security.Provider;
+
+public class KerbyGssAppTest extends GssAppTest {
+
+ @Before
+ @Override
+ public void setUp() throws Exception {
+ Provider provider = new org.apache.kerby.kerberos.kerb.gssapi.Provider();
+ java.security.Security.insertProviderAt(provider, 1);
+ super.setUp();
+ }
+
+ @Test
+ public void test() throws Exception {
+ super.test();
+ }
+}
[31/50] [abbrv] directory-kerby git commit: Refactoring the package
and structure
Posted by co...@apache.org.
Refactoring the package and structure
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/8432c1a8
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/8432c1a8
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/8432c1a8
Branch: refs/heads/gssapi
Commit: 8432c1a81c59e73829c350f328c7956a66d8a809
Parents: de7c8a9
Author: Drankye <dr...@gmail.com>
Authored: Fri Jul 1 17:08:14 2016 +0800
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 12:25:51 2017 +0100
----------------------------------------------------------------------
.../kerb/integration/test/KerbyGssAppTest.java | 3 +-
.../kerby/kerberos/kerb/gss/GssMechFactory.java | 149 ++++
.../kerberos/kerb/gss/KerbyGssProvider.java | 46 ++
.../kerby/kerberos/kerb/gss/impl/CredUtils.java | 89 +++
.../kerberos/kerb/gss/impl/GssAcceptCred.java | 72 ++
.../kerberos/kerb/gss/impl/GssContext.java | 745 +++++++++++++++++++
.../kerberos/kerb/gss/impl/GssCredElement.java | 81 ++
.../kerberos/kerb/gss/impl/GssEncryptor.java | 388 ++++++++++
.../kerberos/kerb/gss/impl/GssInitCred.java | 53 ++
.../kerberos/kerb/gss/impl/GssNameElement.java | 135 ++++
.../kerberos/kerb/gss/impl/GssTokenBase.java | 59 ++
.../kerberos/kerb/gss/impl/GssTokenV1.java | 319 ++++++++
.../kerberos/kerb/gss/impl/GssTokenV2.java | 282 +++++++
.../kerby/kerberos/kerb/gss/impl/GssUtil.java | 386 ++++++++++
.../kerberos/kerb/gss/impl/MicTokenV1.java | 92 +++
.../kerberos/kerb/gss/impl/MicTokenV2.java | 94 +++
.../kerberos/kerb/gss/impl/WrapTokenV1.java | 196 +++++
.../kerberos/kerb/gss/impl/WrapTokenV2.java | 158 ++++
.../kerberos/kerb/gssapi/KerbyMechFactory.java | 149 ----
.../kerby/kerberos/kerb/gssapi/Provider.java | 46 --
.../kerberos/kerb/gssapi/krb5/CredUtils.java | 89 ---
.../kerb/gssapi/krb5/KerbyAcceptCred.java | 72 --
.../kerberos/kerb/gssapi/krb5/KerbyContext.java | 744 ------------------
.../kerb/gssapi/krb5/KerbyCredElement.java | 80 --
.../kerb/gssapi/krb5/KerbyGssEncryptor.java | 388 ----------
.../kerb/gssapi/krb5/KerbyGssTokenBase.java | 59 --
.../kerb/gssapi/krb5/KerbyGssTokenV1.java | 319 --------
.../kerb/gssapi/krb5/KerbyGssTokenV2.java | 282 -------
.../kerb/gssapi/krb5/KerbyInitCred.java | 53 --
.../kerb/gssapi/krb5/KerbyNameElement.java | 134 ----
.../kerberos/kerb/gssapi/krb5/KerbyUtil.java | 386 ----------
.../kerberos/kerb/gssapi/krb5/MicTokenV1.java | 92 ---
.../kerberos/kerb/gssapi/krb5/MicTokenV2.java | 94 ---
.../kerberos/kerb/gssapi/krb5/WrapTokenV1.java | 196 -----
.../kerberos/kerb/gssapi/krb5/WrapTokenV2.java | 158 ----
35 files changed, 3346 insertions(+), 3342 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8432c1a8/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/KerbyGssAppTest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/KerbyGssAppTest.java b/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/KerbyGssAppTest.java
index d9030df..fbb3f3f 100644
--- a/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/KerbyGssAppTest.java
+++ b/kerby-kerb/integration-test/src/test/java/org/apache/kerby/kerberos/kerb/integration/test/KerbyGssAppTest.java
@@ -19,6 +19,7 @@
*/
package org.apache.kerby.kerberos.kerb.integration.test;
+import org.apache.kerby.kerberos.kerb.gss.KerbyGssProvider;
import org.junit.Before;
import org.junit.Test;
@@ -29,7 +30,7 @@ public class KerbyGssAppTest extends GssAppTest {
@Before
@Override
public void setUp() throws Exception {
- Provider provider = new org.apache.kerby.kerberos.kerb.gssapi.Provider();
+ Provider provider = new KerbyGssProvider();
java.security.Security.insertProviderAt(provider, 1);
super.setUp();
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8432c1a8/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/GssMechFactory.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/GssMechFactory.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/GssMechFactory.java
new file mode 100644
index 0000000..735368b
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/GssMechFactory.java
@@ -0,0 +1,149 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gss;
+
+import org.apache.kerby.kerberos.kerb.gss.impl.GssAcceptCred;
+import org.apache.kerby.kerberos.kerb.gss.impl.GssContext;
+import org.apache.kerby.kerberos.kerb.gss.impl.GssCredElement;
+import org.apache.kerby.kerberos.kerb.gss.impl.GssInitCred;
+import org.apache.kerby.kerberos.kerb.gss.impl.GssNameElement;
+import org.ietf.jgss.GSSCredential;
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.GSSName;
+import org.ietf.jgss.Oid;
+import sun.security.jgss.GSSCaller;
+import sun.security.jgss.spi.GSSContextSpi;
+import sun.security.jgss.spi.GSSCredentialSpi;
+import sun.security.jgss.spi.GSSNameSpi;
+import sun.security.jgss.spi.MechanismFactory;
+
+import java.security.Provider;
+
+/**
+ * Kerby Kerberos V5 plugin for JGSS
+ */
+public class GssMechFactory implements MechanismFactory {
+ private static final Provider PROVIDER =
+ new KerbyGssProvider();
+
+ private static final String KRB5_OID_STRING = "1.2.840.113554.1.2.2";
+ private static final Oid KRB5_OID = createOid(KRB5_OID_STRING);
+
+ private static Oid[] nameTypes =
+ new Oid[] {
+ GSSName.NT_USER_NAME,
+ GSSName.NT_EXPORT_NAME,
+ GSSName.NT_HOSTBASED_SERVICE
+ };
+
+ private final GSSCaller caller;
+
+ public Oid getMechanismOid() {
+ return KRB5_OID;
+ }
+
+ public Provider getProvider() {
+ return PROVIDER;
+ }
+
+ public Oid[] getNameTypes() throws GSSException {
+ return nameTypes;
+ }
+
+ public GssMechFactory(GSSCaller caller) {
+ this.caller = caller;
+ }
+
+ public GSSNameSpi getNameElement(String nameStr, Oid nameType)
+ throws GSSException {
+ return GssNameElement.getInstance(nameStr, nameType);
+ }
+
+ public GSSNameSpi getNameElement(byte[] name, Oid nameType)
+ throws GSSException {
+ return GssNameElement.getInstance(name.toString(), nameType);
+ }
+
+ // Used by initiator
+ public GSSContextSpi getMechanismContext(GSSNameSpi peer,
+ GSSCredentialSpi myInitiatorCred,
+ int lifetime) throws GSSException {
+ if (peer != null && !(peer instanceof GssNameElement)) {
+ peer = GssNameElement.getInstance(peer.toString(), peer.getStringNameType());
+ }
+ if (myInitiatorCred == null) {
+ myInitiatorCred = getCredentialElement(null, lifetime, 0, GSSCredential.INITIATE_ONLY);
+ }
+ return new GssContext(caller, (GssNameElement) peer, (GssInitCred) myInitiatorCred, lifetime);
+ }
+
+ public GSSContextSpi getMechanismContext(GSSCredentialSpi myAcceptorCred)
+ throws GSSException {
+ if (myAcceptorCred == null) {
+ myAcceptorCred = getCredentialElement(null, 0,
+ GSSCredential.INDEFINITE_LIFETIME, GSSCredential.ACCEPT_ONLY);
+ }
+ return new GssContext(caller, (GssAcceptCred) myAcceptorCred);
+ }
+
+ // Reconstruct from previously exported context
+ public GSSContextSpi getMechanismContext(byte[] exportedContext)
+ throws GSSException {
+ return new GssContext(caller, exportedContext);
+ }
+
+ public GSSCredentialSpi getCredentialElement(GSSNameSpi name,
+ int initLifetime,
+ int acceptLifetime,
+ int usage)
+ throws GSSException {
+ if (name != null && !(name instanceof GssNameElement)) {
+ name = GssNameElement.getInstance(name.toString(), name.getStringNameType());
+ }
+
+ GssCredElement credElement;
+
+ if (usage == GSSCredential.INITIATE_ONLY) {
+ credElement = GssInitCred.getInstance(caller, (GssNameElement) name, initLifetime);
+ } else if (usage == GSSCredential.ACCEPT_ONLY) {
+ credElement = GssAcceptCred.getInstance(caller, (GssNameElement) name, acceptLifetime);
+ } else if (usage == GSSCredential.INITIATE_AND_ACCEPT) {
+ throw new GSSException(GSSException.FAILURE, -1, "Unsupported usage mode: INITIATE_AND_ACCEPT");
+ } else {
+ throw new GSSException(GSSException.FAILURE, -1, "Unknown usage mode: " + usage);
+ }
+
+ return credElement;
+ }
+
+ private static Oid createOid(String oidStr) {
+ Oid retVal;
+ try {
+ retVal = new Oid(oidStr);
+ } catch (GSSException e) {
+ retVal = null;
+ }
+ return retVal;
+ }
+
+ public static Oid getOid() {
+ return KRB5_OID;
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8432c1a8/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/KerbyGssProvider.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/KerbyGssProvider.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/KerbyGssProvider.java
new file mode 100644
index 0000000..83c5404
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/KerbyGssProvider.java
@@ -0,0 +1,46 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gss;
+
+import java.security.AccessController;
+import java.security.PrivilegedAction;
+
+/**
+ * Proivder is used to register the implementation of gssapi mechanism into the system
+ */
+public final class KerbyGssProvider extends java.security.Provider {
+ private static final long serialVersionUID = 3787378212107821987L;
+ private static final String INFO = "Kerby Gssapi Provider";
+ private static final String MECHANISM_GSSAPI = "GssApiMechanism.1.2.840.113554.1.2.2";
+ private static final String MECHANISM_GSSAPI_CLASS = "org.apache.kerby.kerberos.kerb.gss.GssMechFactory";
+
+ public KerbyGssProvider() {
+ super("KerbyGssApi", 0.01d, INFO);
+
+ AccessController.doPrivileged(new PrivilegedAction<Void>() {
+ public Void run() {
+
+ put(MECHANISM_GSSAPI, MECHANISM_GSSAPI_CLASS);
+
+ return null;
+ }
+ });
+ }
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8432c1a8/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/CredUtils.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/CredUtils.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/CredUtils.java
new file mode 100644
index 0000000..fdcb046
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/CredUtils.java
@@ -0,0 +1,89 @@
+package org.apache.kerby.kerberos.kerb.gss.impl;
+
+import org.ietf.jgss.GSSException;
+import sun.security.jgss.GSSCaller;
+
+import javax.security.auth.Subject;
+import javax.security.auth.kerberos.*;
+import java.security.AccessControlContext;
+import java.security.AccessController;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
+import java.util.Set;
+
+/**
+ * Utility functions to deal with credentials in Context
+ */
+public class CredUtils {
+
+ public static <T> Set<T> getContextPrivateCredentials(Class<T> credentialType, AccessControlContext acc) {
+ Subject subject = Subject.getSubject(acc);
+ Set<T> creds = subject.getPrivateCredentials(credentialType);
+ return creds;
+ }
+
+ public static <T> Set<T> getContextCredentials(final Class<T> credentialType) throws GSSException {
+ final AccessControlContext acc = AccessController.getContext();
+ try {
+ return AccessController.doPrivileged(
+ new PrivilegedExceptionAction<Set<T>>() {
+ public Set<T> run() throws Exception {
+ return CredUtils.getContextPrivateCredentials(credentialType, acc);
+ }
+ });
+ } catch (PrivilegedActionException e) {
+ throw new GSSException(GSSException.NO_CRED, -1, "Get credential from context failed");
+ }
+ }
+
+ public static KerberosTicket getKerberosTicketFromContext(GSSCaller caller,
+ final String clientName,
+ final String serverName) throws GSSException {
+ Set<KerberosTicket> tickets = getContextCredentials(KerberosTicket.class);
+ for (KerberosTicket ticket : tickets) {
+ if (ticket.isCurrent() && (serverName == null || ticket.getServer().getName().equals(serverName))
+ && (clientName == null || ticket.getClient().getName().equals(clientName))) {
+ return ticket;
+ }
+ }
+ return null;
+ }
+
+ public static KeyTab getKeyTabFromContext(KerberosPrincipal principal) throws GSSException {
+ Set<KeyTab> tabs = getContextCredentials(KeyTab.class);
+ for (KeyTab tab : tabs) {
+ KerberosKey[] keys = tab.getKeys(principal);
+ if (keys != null && keys.length > 0) {
+ return tab;
+ }
+ }
+ return null;
+ }
+
+ public static void addCredentialToSubject(final KerberosTicket ticket) throws GSSException {
+ final AccessControlContext acc = AccessController.getContext();
+
+ final Subject subject = AccessController.doPrivileged(
+ new java.security.PrivilegedAction<Subject>() {
+ public Subject run() {
+ return Subject.getSubject(acc);
+ }
+ });
+
+ AccessController.doPrivileged(
+ new java.security.PrivilegedAction<Void>() {
+ public Void run() {
+ subject.getPrivateCredentials().add(ticket);
+ return null;
+ }
+ });
+ }
+
+ public static void checkPrincipalPermission(String principalName, String action) {
+ SecurityManager sm = System.getSecurityManager();
+ if (sm != null) {
+ ServicePermission sp = new ServicePermission(principalName, action);
+ sm.checkPermission(sp);
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8432c1a8/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssAcceptCred.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssAcceptCred.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssAcceptCred.java
new file mode 100644
index 0000000..9ba718f
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssAcceptCred.java
@@ -0,0 +1,72 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gss.impl;
+
+
+import org.ietf.jgss.GSSException;
+import sun.security.jgss.GSSCaller;
+
+import javax.security.auth.kerberos.KerberosKey;
+import javax.security.auth.kerberos.KerberosPrincipal;
+import javax.security.auth.kerberos.KeyTab;
+
+public final class GssAcceptCred extends GssCredElement {
+
+ private final KeyTab keyTab;
+
+ public static GssAcceptCred getInstance(final GSSCaller caller,
+ GssNameElement name, int lifeTime) throws GSSException {
+
+ KerberosPrincipal princ = new KerberosPrincipal(name.getPrincipalName().getName(),
+ name.getPrincipalName().getNameType().getValue());
+ KeyTab keyTab = CredUtils.getKeyTabFromContext(princ);
+
+ if (keyTab == null) {
+ throw new GSSException(GSSException.NO_CRED, -1,
+ "Failed to find any Kerberos credential for " + name.getPrincipalName().getName());
+ }
+
+ return new GssAcceptCred(caller, name, keyTab, lifeTime);
+ }
+
+ private GssAcceptCred(GSSCaller caller, GssNameElement name, KeyTab keyTab, int lifeTime) {
+ super(caller, name);
+ this.keyTab = keyTab;
+ this.accLifeTime = lifeTime;
+ }
+
+ public boolean isInitiatorCredential() throws GSSException {
+ return false;
+ }
+
+ public boolean isAcceptorCredential() throws GSSException {
+ return true;
+ }
+
+ public KeyTab getKeyTab() {
+ return this.keyTab;
+ }
+
+ public KerberosKey[] getKeys() {
+ KerberosPrincipal princ = new KerberosPrincipal(name.getPrincipalName().getName(),
+ name.getPrincipalName().getNameType().getValue());
+ return keyTab.getKeys(princ);
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8432c1a8/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssContext.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssContext.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssContext.java
new file mode 100644
index 0000000..3efb08b
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssContext.java
@@ -0,0 +1,745 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gss.impl;
+
+import com.sun.security.jgss.InquireType;
+import org.apache.kerby.kerberos.kerb.KrbException;
+import org.apache.kerby.kerberos.kerb.gss.GssMechFactory;
+import org.apache.kerby.kerberos.kerb.gss.KerbyGssProvider;
+import org.apache.kerby.kerberos.kerb.request.ApRequest;
+import org.apache.kerby.kerberos.kerb.response.ApResponse;
+import org.apache.kerby.kerberos.kerb.type.ad.AuthorizationData;
+import org.apache.kerby.kerberos.kerb.type.ap.ApRep;
+import org.apache.kerby.kerberos.kerb.type.ap.ApReq;
+import org.apache.kerby.kerberos.kerb.type.ap.Authenticator;
+import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
+import org.apache.kerby.kerberos.kerb.type.base.PrincipalName;
+import org.apache.kerby.kerberos.kerb.type.kdc.EncKdcRepPart;
+import org.apache.kerby.kerberos.kerb.type.ticket.EncTicketPart;
+import org.apache.kerby.kerberos.kerb.type.ticket.SgtTicket;
+import org.apache.kerby.kerberos.kerb.type.ticket.TicketFlags;
+import org.ietf.jgss.ChannelBinding;
+import org.ietf.jgss.GSSContext;
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.MessageProp;
+import org.ietf.jgss.Oid;
+import sun.security.jgss.GSSCaller;
+import sun.security.jgss.spi.GSSContextSpi;
+import sun.security.jgss.spi.GSSCredentialSpi;
+import sun.security.jgss.spi.GSSNameSpi;
+
+import javax.security.auth.kerberos.KerberosTicket;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.nio.ByteBuffer;
+import java.security.Provider;
+
+@SuppressWarnings("PMD")
+public class GssContext implements GSSContextSpi {
+
+ private static final int STATE_NONE = 0;
+ private static final int STATE_ESTABLISHING = 1;
+ private static final int STATE_ESTABLISHED = 2;
+ private static final int STATE_DESTROYED = 3;
+
+ private static final byte[] MSG_AP_REQ = {(byte) 0x1, (byte) 0};
+ private static final byte[] MSG_AP_REP = {(byte) 0x2, (byte) 0};
+
+ private int ctxState = STATE_NONE;
+
+ private final GSSCaller caller;
+ private GssCredElement myCred;
+ private boolean initiator;
+ private GssNameElement myName;
+ private GssNameElement peerName;
+ private int lifeTime;
+ private ChannelBinding channelBinding;
+
+ private boolean mutualAuth = true;
+ private boolean replayDet = true;
+ private boolean sequenceDet = true;
+ private boolean credDeleg = false;
+ private boolean confState = true;
+ private boolean integState = true;
+ private boolean delegPolicy = false;
+
+ public static final int INVALID_KEY = 0;
+ public static final int SESSION_KEY = 1;
+ public static final int INITIATOR_SUBKEY = 2;
+ public static final int ACCEPTOR_SUBKEY = 4;
+ private int keyComesFrom = INVALID_KEY;
+
+ private EncryptionKey sessionKey; // used between client and app server
+ private TicketFlags ticketFlags;
+ private ApReq outApReq;
+
+ private GssEncryptor gssEncryptor;
+
+ // Called on initiator's side.
+ public GssContext(GSSCaller caller, GssNameElement peerName, GssCredElement myCred,
+ int lifeTime)
+ throws GSSException {
+ if (peerName == null) {
+ throw new IllegalArgumentException("Cannot have null peer name");
+ }
+
+ this.caller = caller;
+ this.peerName = peerName;
+ this.myCred = myCred;
+ this.lifeTime = lifeTime;
+ this.initiator = true;
+
+ mySequenceNumberLock = new Object();
+ peerSequenceNumberLock = new Object();
+ }
+
+ public GssContext(GSSCaller caller, GssAcceptCred myCred)
+ throws GSSException {
+ this.caller = caller;
+ this.myCred = myCred;
+ this.initiator = false;
+
+ mySequenceNumberLock = new Object();
+ peerSequenceNumberLock = new Object();
+ }
+
+ public GssContext(GSSCaller caller, byte[] interProcessToken)
+ throws GSSException {
+ throw new GSSException(GSSException.UNAVAILABLE, -1, "Unsupported feature");
+ }
+
+ public Provider getProvider() {
+ return new KerbyGssProvider();
+ }
+
+ public void requestLifetime(int lifeTime) throws GSSException {
+ if (ctxState == STATE_NONE && isInitiator()) {
+ this.lifeTime = lifeTime;
+ }
+ }
+
+ public void requestMutualAuth(boolean state) throws GSSException {
+ if (ctxState == STATE_NONE && isInitiator()) {
+ mutualAuth = state;
+ }
+ }
+
+ public void requestReplayDet(boolean state) throws GSSException {
+ if (ctxState == STATE_NONE && isInitiator()) {
+ replayDet = state;
+ }
+ }
+
+ public void requestSequenceDet(boolean state) throws GSSException {
+ if (ctxState == STATE_NONE && isInitiator()) {
+ replayDet = state;
+ }
+ }
+
+ public void requestCredDeleg(boolean state) throws GSSException {
+ if (ctxState == STATE_NONE && isInitiator() && myCred == null) {
+ credDeleg = state;
+ }
+ }
+
+ public void requestAnonymity(boolean state) throws GSSException {
+ // anonymous context not supported
+ }
+
+ public void requestConf(boolean state) throws GSSException {
+ if (ctxState == STATE_NONE && isInitiator()) {
+ confState = state;
+ }
+ }
+
+ public void requestInteg(boolean state) throws GSSException {
+ if (ctxState == STATE_NONE && isInitiator()) {
+ integState = state;
+ }
+ }
+
+ public void requestDelegPolicy(boolean state) throws GSSException {
+ if (ctxState == STATE_NONE && isInitiator()) {
+ delegPolicy = state;
+ }
+ }
+
+ public void setChannelBinding(ChannelBinding cb) throws GSSException {
+ this.channelBinding = cb;
+ }
+
+ public boolean getCredDelegState() {
+ return credDeleg;
+ }
+
+ public boolean getMutualAuthState() {
+ return mutualAuth;
+ }
+
+ public boolean getReplayDetState() {
+ return replayDet || sequenceDet;
+ }
+
+ public boolean getSequenceDetState() {
+ return sequenceDet;
+ }
+
+ public boolean getAnonymityState() {
+ return false;
+ }
+
+ public boolean getDelegPolicyState() {
+ return delegPolicy;
+ }
+
+ public boolean isTransferable() throws GSSException {
+ return false;
+ }
+
+ public boolean isProtReady() {
+ return ctxState == STATE_ESTABLISHED;
+ }
+
+ public boolean isInitiator() {
+ return initiator;
+ }
+
+ public boolean getConfState() {
+ return confState;
+ }
+
+ public boolean getIntegState() {
+ return integState;
+ }
+
+ public int getLifetime() {
+ return GSSContext.INDEFINITE_LIFETIME;
+ }
+
+ public boolean isEstablished() {
+ return ctxState == STATE_ESTABLISHED;
+ }
+
+ public GSSNameSpi getSrcName() throws GSSException {
+ return isInitiator() ? myName : peerName;
+ }
+
+ public GSSNameSpi getTargName() throws GSSException {
+ return !isInitiator() ? myName : peerName;
+ }
+
+ public Oid getMech() throws GSSException {
+ return GssMechFactory.getOid();
+ }
+
+ public GSSCredentialSpi getDelegCred() throws GSSException {
+ throw new GSSException(GSSException.FAILURE, -1, "API not implemented"); // TODO:
+ }
+
+ public byte[] initSecContext(InputStream is, int mechTokenSize)
+ throws GSSException {
+ if (!isInitiator()) {
+ throw new GSSException(GSSException.FAILURE, -1, "initSecContext called on acceptor");
+ }
+
+ byte[] ret = null;
+
+ if (ctxState == STATE_NONE) {
+
+ if (!myCred.isInitiatorCredential()) {
+ throw new GSSException(GSSException.NO_CRED, -1, "No TGT available");
+ }
+
+ // check if service ticket already exists
+ // if not, prepare to get it through TGS_REQ
+ SgtTicket sgtTicket = null;
+ String serviceName = peerName.getPrincipalName().getName();
+ myName = (GssNameElement) myCred.getName();
+ PrincipalName clientPrincipal = myName.getPrincipalName();
+
+ sgtTicket = GssUtil.getSgtCredentialFromContext(caller, clientPrincipal.getName(), serviceName);
+
+ if (sgtTicket == null) {
+ sgtTicket = GssUtil.applySgtCredential(((GssInitCred) myCred).ticket, serviceName);
+
+ // add this service credential to context
+ final KerberosTicket ticket =
+ GssUtil.convertKrbTicketToKerberosTicket(sgtTicket, myName.getPrincipalName().getName());
+ CredUtils.addCredentialToSubject(ticket);
+ }
+
+ ApRequest apRequest = new ApRequest(clientPrincipal, sgtTicket);
+ try {
+ outApReq = apRequest.getApReq();
+ } catch (KrbException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Generate ApReq failed: " + e.getMessage());
+ }
+ setupInitiatorContext(sgtTicket, apRequest);
+ try {
+ ByteBuffer outBuffer = ByteBuffer.allocate(outApReq.encodingLength() + 2);
+ outBuffer.put(MSG_AP_REQ);
+ outApReq.encode(outBuffer);
+ outBuffer.flip();
+ ret = outBuffer.array();
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Generate ApReq bytes failed: " + e.getMessage());
+ }
+
+ ctxState = STATE_ESTABLISHING;
+ if (!getMutualAuthState()) {
+ gssEncryptor = new GssEncryptor(getSessionKey());
+ ctxState = STATE_ESTABLISHED;
+ }
+
+ } else if (ctxState == STATE_ESTABLISHING) {
+ verifyServerToken(is, mechTokenSize);
+ gssEncryptor = new GssEncryptor(getSessionKey());
+ outApReq = null;
+ ctxState = STATE_ESTABLISHED;
+ }
+ return ret;
+ }
+
+ private void setupInitiatorContext(SgtTicket sgt, ApRequest apRequest) throws GSSException {
+ EncKdcRepPart encKdcRepPart = sgt.getEncKdcRepPart();
+ TicketFlags ticketFlags = encKdcRepPart.getFlags();
+ setTicketFlags(ticketFlags);
+
+ setAuthTime(encKdcRepPart.getAuthTime().toString());
+
+ Authenticator auth;
+ try {
+ auth = apRequest.getApReq().getAuthenticator();
+ } catch (KrbException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "ApReq failed in Initiator");
+ }
+ setMySequenceNumber(auth.getSeqNumber());
+
+ EncryptionKey subKey = auth.getSubKey();
+ if (subKey != null) {
+ setSessionKey(subKey, GssContext.INITIATOR_SUBKEY);
+ } else {
+ setSessionKey(sgt.getSessionKey(), GssContext.SESSION_KEY);
+ }
+
+ if (!getMutualAuthState()) {
+ setPeerSequenceNumber(0);
+ }
+ }
+
+ /**
+ * Verify the AP_REP from server and set context accordingly
+ * @param is
+ * @param mechTokenSize
+ * @return
+ * @throws GSSException
+ * @throws IOException
+ */
+ private void verifyServerToken(InputStream is, int mechTokenSize)
+ throws GSSException {
+ byte[] token;
+ ApRep apRep;
+ try {
+ if (!(is.read() == MSG_AP_REP[0] && is.read() == MSG_AP_REP[1])) {
+ throw new GSSException(GSSException.FAILURE, -1, "Invalid ApRep message ID");
+ }
+ token = new byte[mechTokenSize - MSG_AP_REP.length];
+ is.read(token);
+ apRep = new ApRep();
+ apRep.decode(token);
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Invalid ApRep " + e.getMessage());
+ }
+
+ try {
+ ApResponse.validate(getSessionKey(), apRep, outApReq);
+ } catch (KrbException e) {
+ throw new GSSException(GSSException.UNAUTHORIZED, -1, "ApRep verification failed");
+ }
+
+ EncryptionKey key = apRep.getEncRepPart().getSubkey();
+ if (key != null) {
+ setSessionKey(key, ACCEPTOR_SUBKEY);
+ }
+
+ int seqNum = apRep.getEncRepPart().getSeqNumber();
+ setPeerSequenceNumber(seqNum == -1 ? 0 : seqNum);
+ }
+
+ public byte[] acceptSecContext(InputStream is, int mechTokenSize)
+ throws GSSException {
+ byte[] ret = null;
+
+ if (isInitiator()) {
+ throw new GSSException(GSSException.FAILURE, -1, "acceptSecContext called on initiator");
+ }
+
+ if (ctxState == STATE_NONE) {
+ ctxState = STATE_ESTABLISHING;
+ if (!myCred.isAcceptorCredential()) {
+ throw new GSSException(GSSException.FAILURE, -1, "No acceptor credential available");
+ }
+
+ GssAcceptCred acceptCred = (GssAcceptCred) myCred;
+ CredUtils.checkPrincipalPermission(
+ ((GssNameElement) acceptCred.getName()).getPrincipalName().getName(), "accept");
+
+ if (getMutualAuthState()) {
+ ret = verifyClientToken(acceptCred, is, mechTokenSize);
+ }
+
+ gssEncryptor = new GssEncryptor(getSessionKey());
+
+ myCred = null;
+ ctxState = STATE_ESTABLISHED;
+ }
+
+ return ret;
+ }
+
+ private byte[] verifyClientToken(GssAcceptCred acceptCred, InputStream is, int mechTokenSize)
+ throws GSSException {
+ byte[] token;
+ ApReq apReq;
+ try {
+ if (!(is.read() == MSG_AP_REQ[0] && is.read() == MSG_AP_REQ[1])) {
+ throw new GSSException(GSSException.FAILURE, -1, "Invalid ApReq message ID");
+ }
+
+ token = new byte[mechTokenSize - MSG_AP_REQ.length];
+ is.read(token);
+ apReq = new ApReq();
+ apReq.decode(token);
+ } catch (IOException e) {
+ throw new GSSException(GSSException.UNAUTHORIZED, -1, "ApReq invalid:" + e.getMessage());
+ }
+
+ int kvno = apReq.getTicket().getEncryptedEncPart().getKvno();
+ int encryptType = apReq.getTicket().getEncryptedEncPart().getEType().getValue();
+
+ // Get server key from credential
+ EncryptionKey serverKey = GssUtil.getEncryptionKey(acceptCred.getKeys(), encryptType, kvno);
+ if (serverKey == null) {
+ throw new GSSException(GSSException.FAILURE, -1, "Server key not found");
+ }
+
+ try {
+ ApRequest.validate(serverKey, apReq,
+ channelBinding == null ? null : channelBinding.getInitiatorAddress(), 5 * 60 * 1000);
+ } catch (KrbException e) {
+ throw new GSSException(GSSException.UNAUTHORIZED, -1, "ApReq verification failed: " + e.getMessage());
+ }
+
+ ApResponse apResponse = new ApResponse(apReq);
+ ApRep apRep;
+ try {
+ apRep = apResponse.getApRep();
+ } catch (KrbException e) {
+ throw new GSSException(GSSException.UNAUTHORIZED, -1, "Generate ApRep failed");
+ }
+
+ EncTicketPart apReqTicketEncPart = apReq.getTicket().getEncPart();
+
+ EncryptionKey ssKey = apReqTicketEncPart.getKey();
+ Authenticator auth = apReq.getAuthenticator();
+ EncryptionKey subKey = auth.getSubKey();
+
+ if (subKey != null) {
+ setSessionKey(subKey, INITIATOR_SUBKEY);
+ } else {
+ setSessionKey(ssKey, SESSION_KEY);
+ }
+
+ // initial seqNumber
+ int seqNumber = auth.getSeqNumber();
+ setMySequenceNumber(seqNumber);
+ // initial authtime, tktflags, authdata,
+ setAuthTime(apReqTicketEncPart.getAuthTime().toString());
+ setTicketFlags(apReqTicketEncPart.getFlags());
+ setAuthData(apReqTicketEncPart.getAuthorizationData());
+
+ byte[] ret = null;
+ try {
+ ByteBuffer outBuffer = ByteBuffer.allocate(apRep.encodingLength() + 2);
+ outBuffer.put(MSG_AP_REP);
+ apRep.encode(outBuffer);
+ outBuffer.flip();
+ ret = outBuffer.array();
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Generate ApRep bytes failed:" + e.getMessage());
+ }
+ return ret;
+ }
+
+ public int getWrapSizeLimit(int qop, boolean confReq, int maxTokSize)
+ throws GSSException {
+ if (gssEncryptor.isV2()) {
+ return WrapTokenV2.getMsgSizeLimit(qop, confReq, maxTokSize, gssEncryptor);
+ } else {
+ return WrapTokenV1.getMsgSizeLimit(qop, confReq, maxTokSize, gssEncryptor);
+ }
+ }
+
+ public void wrap(InputStream is, OutputStream os, MessageProp msgProp)
+ throws GSSException {
+ if (ctxState != STATE_ESTABLISHED) {
+ throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for wrap");
+ }
+
+ int len;
+ byte[] inBuf;
+ try {
+ len = is.available();
+ inBuf = new byte[len];
+ is.read(inBuf);
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Error when get user data:" + e.getMessage());
+ }
+ if (gssEncryptor.isV2()) {
+ WrapTokenV2 token = new WrapTokenV2(this, inBuf, 0, len, msgProp);
+ token.wrap(os);
+ } else {
+ WrapTokenV1 token = new WrapTokenV1(this, inBuf, 0, len, msgProp);
+ token.wrap(os);
+ }
+ }
+
+ public byte[] wrap(byte[] inBuf, int offset, int len,
+ MessageProp msgProp) throws GSSException {
+ if (ctxState != STATE_ESTABLISHED) {
+ throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for wrap");
+ }
+ byte[] ret;
+ if (gssEncryptor.isV2()) {
+ WrapTokenV2 token = new WrapTokenV2(this, inBuf, offset, len, msgProp);
+ ret = token.wrap();
+ } else {
+ WrapTokenV1 token = new WrapTokenV1(this, inBuf, offset, len, msgProp);
+ ret = token.wrap();
+ }
+ return ret;
+ }
+
+ public void unwrap(InputStream is, OutputStream os,
+ MessageProp msgProp) throws GSSException {
+ if (ctxState != STATE_ESTABLISHED) {
+ throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for unwrap");
+ }
+
+ if (gssEncryptor.isV2()) {
+ WrapTokenV2 token = new WrapTokenV2(this, msgProp, is);
+ token.unwrap(os);
+ } else {
+ WrapTokenV1 token = new WrapTokenV1(this, msgProp, is);
+ token.unwrap(os);
+ }
+ }
+
+ public byte[] unwrap(byte[] inBuf, int offset, int len,
+ MessageProp msgProp) throws GSSException {
+ if (ctxState != STATE_ESTABLISHED) {
+ throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for unwrap");
+ }
+
+ byte[] ret;
+ if (gssEncryptor.isV2()) {
+ WrapTokenV2 token = new WrapTokenV2(this, msgProp, inBuf, offset, len);
+ ret = token.unwrap();
+ } else {
+ WrapTokenV1 token = new WrapTokenV1(this, msgProp, inBuf, offset, len);
+ ret = token.unwrap();
+ }
+ return ret;
+ }
+
+ public void getMIC(InputStream is, OutputStream os,
+ MessageProp msgProp) throws GSSException {
+ if (ctxState != STATE_ESTABLISHED) {
+ throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for getMIC");
+ }
+
+ try {
+ int len = is.available();
+ byte[] inMsg = new byte[len];
+ is.read(inMsg);
+ if (gssEncryptor.isV2()) {
+ MicTokenV2 token = new MicTokenV2(this, inMsg, 0, len, msgProp);
+ token.getMic(os);
+ } else {
+ MicTokenV1 token = new MicTokenV1(this, inMsg, 0, len, msgProp);
+ token.getMic(os);
+ }
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Error when get user data in getMIC:" + e.getMessage());
+ }
+ }
+
+ public byte[] getMIC(byte[] inMsg, int offset, int len,
+ MessageProp msgProp) throws GSSException {
+ if (ctxState != STATE_ESTABLISHED) {
+ throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for getMIC");
+ }
+
+ byte[] ret;
+ if (gssEncryptor.isV2()) {
+ MicTokenV2 token = new MicTokenV2(this, inMsg, offset, len, msgProp);
+ ret = token.getMic();
+ } else {
+ MicTokenV1 token = new MicTokenV1(this, inMsg, offset, len, msgProp);
+ ret = token.getMic();
+ }
+ return ret;
+ }
+
+ public void verifyMIC(InputStream is, InputStream msgStr,
+ MessageProp msgProp) throws GSSException {
+ if (ctxState != STATE_ESTABLISHED) {
+ throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for verifyMIC");
+ }
+
+ try {
+ int tokLen = is.available();
+ byte[] inTok = new byte[tokLen];
+ int msgLen = msgStr.available();
+ byte[] inMsg = new byte[msgLen];
+
+ verifyMIC(inTok, 0, tokLen, inMsg, 0, msgLen, msgProp);
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1,
+ "Error when get user data in verifyMIC:" + e.getMessage());
+ }
+ }
+
+ public void verifyMIC(byte[]inTok, int tokOffset, int tokLen,
+ byte[] inMsg, int msgOffset, int msgLen,
+ MessageProp msgProp) throws GSSException {
+ if (ctxState != STATE_ESTABLISHED) {
+ throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for verifyMIC");
+ }
+
+ if (gssEncryptor.isV2()) {
+ MicTokenV2 token = new MicTokenV2(this, msgProp, inTok, tokOffset, tokLen);
+ token.verify(inMsg, msgOffset, msgLen);
+ } else {
+ MicTokenV1 token = new MicTokenV1(this, msgProp, inTok, tokOffset, tokLen);
+ token.verify(inMsg, msgOffset, msgLen);
+ }
+ }
+
+ public byte[] export() throws GSSException {
+ throw new GSSException(GSSException.UNAVAILABLE, -1, "Unsupported export() method");
+ }
+
+ public void dispose() throws GSSException {
+ ctxState = STATE_DESTROYED;
+ setSessionKey(null, 0);
+ peerName = null;
+ myCred = null;
+ myName = null;
+ }
+
+
+ private String authTime;
+ private void setAuthTime(String authTime) {
+ this.authTime = authTime;
+ }
+
+ public Object inquireSecContext(InquireType type) throws GSSException {
+ if (ctxState != STATE_ESTABLISHED) {
+ throw new GSSException(GSSException.NO_CONTEXT, -1, "Invalid context");
+ }
+
+ switch (type) {
+ case KRB5_GET_SESSION_KEY:
+ return getSessionKey();
+ case KRB5_GET_TKT_FLAGS:
+ return GssUtil.ticketFlagsToBooleans(ticketFlags);
+ case KRB5_GET_AUTHZ_DATA:
+ if (isInitiator()) {
+ throw new GSSException(GSSException.UNAVAILABLE, -1,
+ "Authorization data not available for initiator");
+ } else {
+ return GssUtil.kerbyAuthorizationDataToJgssAuthorizationDataEntries(authData);
+ }
+ case KRB5_GET_AUTHTIME:
+ return authTime;
+ }
+ throw new GSSException(GSSException.UNAVAILABLE, -1, "Unsupported inquire type");
+ }
+
+
+ // functions not belong to SPI
+ private void setSessionKey(EncryptionKey encryptionKey, int keyComesFrom) {
+ this.sessionKey = encryptionKey;
+ this.keyComesFrom = keyComesFrom;
+ }
+
+ public int getKeyComesFrom() {
+ return keyComesFrom;
+ }
+
+ private EncryptionKey getSessionKey() {
+ return sessionKey;
+ }
+
+ private void setTicketFlags(TicketFlags ticketFlags) {
+ this.ticketFlags = ticketFlags;
+ }
+
+ private AuthorizationData authData;
+ private void setAuthData(AuthorizationData authData) {
+ this.authData = authData;
+ }
+
+
+ private int mySequenceNumber;
+ private int peerSequenceNumber;
+ private Object mySequenceNumberLock;
+ private Object peerSequenceNumberLock;
+
+ public void setMySequenceNumber(int sequenceNumber) {
+ synchronized (mySequenceNumberLock) {
+ mySequenceNumber = sequenceNumber;
+ }
+ }
+
+ public int incMySequenceNumber() {
+ synchronized (mySequenceNumberLock) {
+ return mySequenceNumber++;
+ }
+ }
+
+ public void setPeerSequenceNumber(int sequenceNumber) {
+ synchronized (peerSequenceNumberLock) {
+ peerSequenceNumber = sequenceNumber;
+ }
+ }
+
+ public int incPeerSequenceNumber() {
+ synchronized (peerSequenceNumberLock) {
+ return peerSequenceNumber++;
+ }
+ }
+
+ public GssEncryptor getGssEncryptor() {
+ return gssEncryptor;
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8432c1a8/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssCredElement.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssCredElement.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssCredElement.java
new file mode 100644
index 0000000..657f222
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssCredElement.java
@@ -0,0 +1,81 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gss.impl;
+
+import org.apache.kerby.kerberos.kerb.gss.KerbyGssProvider;
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.Oid;
+import sun.security.jgss.GSSCaller;
+import sun.security.jgss.spi.GSSCredentialSpi;
+import sun.security.jgss.spi.GSSNameSpi;
+
+import java.security.Provider;
+
+public abstract class GssCredElement implements GSSCredentialSpi {
+
+ static final Oid KRB5_OID = createOid("1.2.840.113554.1.2.2");
+
+ protected GSSCaller caller;
+ protected GssNameElement name;
+ protected int initLifeTime;
+ protected int accLifeTime;
+
+ GssCredElement(GSSCaller caller, GssNameElement name) {
+ this.caller = caller;
+ this.name = name;
+ }
+
+ public Provider getProvider() {
+ return new KerbyGssProvider();
+ }
+
+ public void dispose() throws GSSException {
+ }
+
+ public GSSNameSpi getName() throws GSSException {
+ return name;
+ }
+
+ public int getInitLifetime() throws GSSException {
+ return initLifeTime;
+ }
+
+ public int getAcceptLifetime() throws GSSException {
+ return accLifeTime;
+ }
+
+ public Oid getMechanism() {
+ return KRB5_OID;
+ }
+
+ public GSSCredentialSpi impersonate(GSSNameSpi name) throws GSSException {
+ throw new GSSException(GSSException.FAILURE, -1, "Unsupported feature"); // TODO:
+ }
+
+ private static Oid createOid(String oidStr) {
+ Oid retVal;
+ try {
+ retVal = new Oid(oidStr);
+ } catch (GSSException e) {
+ retVal = null; // get rid of blank catch block warning
+ }
+ return retVal;
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8432c1a8/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssEncryptor.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssEncryptor.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssEncryptor.java
new file mode 100644
index 0000000..4eb96e3
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssEncryptor.java
@@ -0,0 +1,388 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gss.impl;
+
+
+import org.apache.kerby.kerberos.kerb.KrbException;
+import org.apache.kerby.kerberos.kerb.crypto.CheckSumHandler;
+import org.apache.kerby.kerberos.kerb.crypto.CheckSumTypeHandler;
+import org.apache.kerby.kerberos.kerb.crypto.EncTypeHandler;
+import org.apache.kerby.kerberos.kerb.crypto.EncryptionHandler;
+import org.apache.kerby.kerberos.kerb.crypto.cksum.provider.Md5Provider;
+import org.apache.kerby.kerberos.kerb.crypto.enc.provider.DesProvider;
+import org.apache.kerby.kerberos.kerb.crypto.enc.provider.Rc4Provider;
+import org.apache.kerby.kerberos.kerb.type.base.CheckSumType;
+import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
+import org.apache.kerby.kerberos.kerb.type.base.EncryptionType;
+import org.ietf.jgss.GSSException;
+
+import javax.crypto.Mac;
+import javax.crypto.SecretKey;
+import javax.crypto.spec.SecretKeySpec;
+
+/**
+ * This class implements encryption related function used in GSS tokens
+ */
+public class GssEncryptor {
+
+ private final EncryptionKey encKey;
+ private final EncryptionType encKeyType; // The following two variables used for convenience
+ private final byte[] encKeyBytes;
+
+ private CheckSumType checkSumTypeDef;
+ private int checkSumSize;
+
+ private boolean isV2 = false;
+ private int sgnAlg = 0xFFFF;
+ private int sealAlg = 0xFFFF;
+ private boolean isArcFourHmac = false;
+
+ private static final byte[] IV_ZEROR_8B = new byte[8];
+
+ public GssEncryptor(EncryptionKey key) throws GSSException {
+ encKey = key;
+ encKeyBytes = encKey.getKeyData();
+ encKeyType = key.getKeyType();
+
+ if (encKeyType == EncryptionType.AES128_CTS_HMAC_SHA1_96) {
+ checkSumSize = 12;
+ checkSumTypeDef = CheckSumType.HMAC_SHA1_96_AES128;
+ isV2 = true;
+ } else if (encKeyType == EncryptionType.AES256_CTS_HMAC_SHA1_96) {
+ checkSumSize = 12;
+ checkSumTypeDef = CheckSumType.HMAC_SHA1_96_AES256;
+ isV2 = true;
+ } else if (encKeyType == EncryptionType.DES_CBC_CRC || encKeyType == EncryptionType.DES_CBC_MD5) {
+ sgnAlg = GssTokenV1.SGN_ALG_DES_MAC_MD5;
+ sealAlg = GssTokenV1.SEAL_ALG_DES;
+ checkSumSize = 8;
+ } else if (encKeyType == EncryptionType.DES3_CBC_SHA1) {
+ sgnAlg = GssTokenV1.SGN_ALG_HMAC_SHA1_DES3_KD;
+ sealAlg = GssTokenV1.SEAL_ALG_DES3_KD;
+ checkSumSize = 20;
+ } else if (encKeyType == EncryptionType.ARCFOUR_HMAC) {
+ sgnAlg = GssTokenV1.SGN_ALG_RC4_HMAC;
+ sealAlg = GssTokenV1.SEAL_ALG_RC4_HMAC;
+ checkSumSize = 16;
+ isArcFourHmac = true;
+ } else {
+ throw new GSSException(GSSException.FAILURE, -1,
+ "Invalid encryption type: " + encKeyType.getDisplayName());
+ }
+ }
+
+ /**
+ * Return true if it is encryption type defined in RFC 4121
+ * @return
+ */
+ public boolean isV2() {
+ return isV2;
+ }
+
+ public int getSgnAlg() {
+ return sgnAlg;
+ }
+
+ public int getSealAlg() {
+ return sealAlg;
+ }
+
+ public boolean isArcFourHmac() {
+ return isArcFourHmac;
+ }
+
+ public byte[] encryptData(byte[] tokenHeader, byte[] data,
+ int offset, int len, int keyUsage) throws GSSException {
+ byte[] ret;
+ byte[] toProcess = new byte[tokenHeader.length + len];
+ System.arraycopy(data, offset, toProcess, 0, len);
+ System.arraycopy(tokenHeader, 0, toProcess, len, tokenHeader.length);
+
+ ret = encryptData(toProcess, keyUsage);
+ return ret;
+ }
+
+ public byte[] encryptData(byte[] toProcess, int keyUsage) throws GSSException {
+ byte[] ret;
+ try {
+ EncTypeHandler encHandler = EncryptionHandler.getEncHandler(encKey.getKeyType());
+ ret = encHandler.encrypt(toProcess, encKey.getKeyData(), keyUsage);
+ } catch (KrbException e) {
+ throw new GSSException(GSSException.FAILURE, -1, e.getMessage());
+ }
+ return ret;
+ }
+
+ public byte[] decryptData(byte[] dataEncrypted, int keyUsage) throws GSSException {
+ byte[] ret;
+ try {
+ EncTypeHandler encHandler = EncryptionHandler.getEncHandler(encKey.getKeyType());
+ ret = encHandler.decrypt(dataEncrypted, encKey.getKeyData(), keyUsage);
+ } catch (KrbException e) {
+ throw new GSSException(GSSException.FAILURE, -1, e.getMessage());
+ }
+ return ret;
+ }
+
+ public byte[] calculateCheckSum(byte[] header, byte[] data, int offset, int len, int keyUsage)
+ throws GSSException {
+ int totalLen = len + (header == null ? 0 : header.length);
+ byte[] buffer = new byte[totalLen];
+ System.arraycopy(data, offset, buffer, 0, len);
+ if (header != null) {
+ System.arraycopy(header, 0, buffer, len, header.length);
+ }
+
+ try {
+ return CheckSumHandler.getCheckSumHandler(checkSumTypeDef)
+ .checksumWithKey(buffer, encKey.getKeyData(), keyUsage);
+ } catch (KrbException e) {
+ throw new GSSException(GSSException.FAILURE, -1,
+ "Exception in checksum calculation:" + e.getMessage());
+ }
+ }
+
+ /**
+ * Get the size of the corresponding checksum algorithm
+ * @return
+ * @throws GSSException
+ */
+ public int getCheckSumSize() throws GSSException {
+ return checkSumSize;
+ }
+
+
+ private void addPadding(int paddingLen, byte[] outBuf, int offset) {
+ for (int i = 0; i < paddingLen; i++) {
+ outBuf[offset + i] = (byte) paddingLen;
+ }
+ }
+
+ private byte[] getFirstBytes(byte[] src, int len) {
+ if (len < src.length) {
+ byte[] ret = new byte[len];
+ System.arraycopy(src, 0, ret, 0, len);
+ return ret;
+ }
+ return src;
+ }
+
+ private byte[] getKeyBytesWithLength(int len) {
+ return getFirstBytes(encKeyBytes, len);
+ }
+
+ public byte[] calculateCheckSum(byte[] confounder, byte[] header,
+ byte[] data, int offset, int len, int paddingLen, boolean isMic)
+ throws GSSException {
+ byte[] ret;
+ int keyUsage = GssTokenV1.KG_USAGE_SIGN;
+ CheckSumTypeHandler handler;
+
+ int keySize;
+ byte[] key;
+ byte[] toProc;
+ int toOffset;
+ int toLen = (confounder == null ? 0 : confounder.length)
+ + (header == null ? 0 : header.length) + len + paddingLen;
+ if (toLen == len) {
+ toProc = data;
+ toOffset = offset;
+ } else {
+ toOffset = 0;
+ int idx = 0;
+ toProc = new byte[toLen];
+
+ if (header != null) {
+ System.arraycopy(header, 0, toProc, idx, header.length);
+ idx += header.length;
+ }
+
+ if (confounder != null) {
+ System.arraycopy(confounder, 0, toProc, idx, confounder.length);
+ idx += confounder.length;
+ }
+
+ System.arraycopy(data, offset, toProc, idx, len);
+ addPadding(paddingLen, toProc, len + idx);
+ }
+
+ CheckSumType chksumType;
+ try {
+ switch (sgnAlg) {
+ case GssTokenV1.SGN_ALG_DES_MAC_MD5:
+ Md5Provider md5Provider = new Md5Provider();
+ md5Provider.hash(toProc);
+ toProc = md5Provider.output();
+
+ case GssTokenV1.SGN_ALG_DES_MAC:
+ DesProvider desProvider = new DesProvider();
+ return desProvider.cbcMac(encKeyBytes, IV_ZEROR_8B, toProc);
+
+ case GssTokenV1.SGN_ALG_HMAC_SHA1_DES3_KD:
+ chksumType = CheckSumType.HMAC_SHA1_DES3_KD;
+ break;
+ case GssTokenV1.SGN_ALG_RC4_HMAC:
+ chksumType = CheckSumType.MD5_HMAC_ARCFOUR;
+ if (isMic) {
+ keyUsage = GssTokenV1.KG_USAGE_MS_SIGN;
+ }
+ break;
+ case GssTokenV1.SGN_ALG_MD25:
+ throw new GSSException(GSSException.FAILURE, -1, "CheckSum not implemented for SGN_ALG_MD25");
+ default:
+ throw new GSSException(GSSException.FAILURE, -1, "CheckSum not implemented for sgnAlg=" + sgnAlg);
+ }
+ handler = CheckSumHandler.getCheckSumHandler(chksumType);
+ keySize = handler.keySize();
+ key = getKeyBytesWithLength(keySize);
+ ret = handler.checksumWithKey(toProc, toOffset, toLen, key, keyUsage);
+ } catch (KrbException e) {
+ throw new GSSException(GSSException.FAILURE, -1,
+ "Exception in checksum calculation sgnAlg = " + sgnAlg + " : " + e.getMessage());
+ }
+ return ret;
+ }
+
+ public byte[] encryptSequenceNumber(byte[] seqBytes, byte[] ivSrc, boolean encrypt)
+ throws GSSException {
+ EncTypeHandler handler;
+ try {
+ switch (sgnAlg) {
+ case GssTokenV1.SGN_ALG_DES_MAC_MD5:
+ case GssTokenV1.SGN_ALG_DES_MAC:
+ DesProvider desProvider = new DesProvider();
+ byte[] data = seqBytes.clone();
+ if (encrypt) {
+ desProvider.encrypt(encKeyBytes, ivSrc, data);
+ } else {
+ desProvider.decrypt(encKeyBytes, ivSrc, data);
+ }
+ return data;
+ case GssTokenV1.SGN_ALG_HMAC_SHA1_DES3_KD:
+ handler = EncryptionHandler.getEncHandler(EncryptionType.DES3_CBC_SHA1_KD);
+ break;
+ case GssTokenV1.SGN_ALG_RC4_HMAC:
+ return encryptArcFourHmac(seqBytes, getKeyBytesWithLength(16), getFirstBytes(ivSrc, 8), encrypt);
+ case GssTokenV1.SGN_ALG_MD25:
+ throw new GSSException(GSSException.FAILURE, -1, "EncSeq not implemented for SGN_ALG_MD25");
+ default:
+ throw new GSSException(GSSException.FAILURE, -1, "EncSeq not implemented for sgnAlg=" + sgnAlg);
+ }
+ int keySize = handler.keySize();
+ byte[] key = getKeyBytesWithLength(keySize);
+ int ivLen = handler.encProvider().blockSize();
+ byte[] iv = getFirstBytes(ivSrc, ivLen);
+ if (encrypt) {
+ return handler.encryptRaw(seqBytes, key, iv, GssTokenV1.KG_USAGE_SEQ);
+ } else {
+ return handler.decryptRaw(seqBytes, key, iv, GssTokenV1.KG_USAGE_SEQ);
+ }
+ } catch (KrbException e) {
+ throw new GSSException(GSSException.FAILURE, -1,
+ "Exception in encrypt seq number sgnAlg = " + sgnAlg + " : " + e.getMessage());
+ }
+ }
+
+ private byte[] getHmacMd5(byte[] key, byte[] salt) throws GSSException {
+ try {
+ SecretKey secretKey = new SecretKeySpec(key, "HmacMD5");
+ Mac mac = Mac.getInstance("HmacMD5");
+ mac.init(secretKey);
+ return mac.doFinal(salt);
+ } catch (Exception e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Get HmacMD5 failed: " + e.getMessage());
+ }
+ }
+
+ private byte[] encryptArcFourHmac(byte[] data, byte[] key, byte[] iv, boolean encrypt)
+ throws GSSException {
+ byte[] sk1 = getHmacMd5(key, new byte[4]);
+ byte[] sk2 = getHmacMd5(sk1, iv);
+ Rc4Provider provider = new Rc4Provider();
+ try {
+ byte[] ret = data.clone();
+ if (encrypt) {
+ provider.encrypt(sk2, ret);
+ } else {
+ provider.decrypt(sk2, ret);
+ }
+ return ret;
+ } catch (KrbException e) {
+ throw new GSSException(GSSException.FAILURE, -1,
+ "En/Decrypt sequence failed for ArcFourHmac: " + e.getMessage());
+ }
+ }
+
+ private byte[] encryptDataArcFourHmac(byte[] data, byte[] key, byte[] seqNum, boolean encrypt) throws GSSException {
+ byte[] dataKey = new byte[key.length];
+ for (int i = 0; i <= 15; i++) {
+ dataKey[i] = (byte) (key[i] ^ 0xF0);
+ }
+ return encryptArcFourHmac(data, dataKey, seqNum, encrypt);
+ }
+
+ public byte[] encryptTokenV1(byte[] confounder, byte[] data, int offset, int len,
+ int paddingLen, byte[] seqNumber, boolean encrypt) throws GSSException {
+ byte[] toProc;
+ if (encrypt) {
+ int toLen = (confounder == null ? 0 : confounder.length) + len + paddingLen;
+ int index = 0;
+ toProc = new byte[toLen];
+ if (confounder != null) {
+ System.arraycopy(confounder, 0, toProc, 0, confounder.length);
+ index += confounder.length;
+ }
+ System.arraycopy(data, offset, toProc, index, len);
+ addPadding(paddingLen, toProc, index + len);
+ } else {
+ toProc = data;
+ if (data.length != len) {
+ toProc = new byte[len];
+ System.arraycopy(data, offset, toProc, 0, len);
+ }
+ }
+ EncTypeHandler handler;
+ try {
+ switch (sealAlg) {
+ case GssTokenV1.SEAL_ALG_DES:
+ handler = EncryptionHandler.getEncHandler(EncryptionType.DES_CBC_MD5);
+ break;
+ case GssTokenV1.SEAL_ALG_DES3_KD:
+ handler = EncryptionHandler.getEncHandler(EncryptionType.DES3_CBC_SHA1_KD);
+ break;
+ case GssTokenV1.SEAL_ALG_RC4_HMAC:
+ return encryptDataArcFourHmac(toProc, getKeyBytesWithLength(16), seqNumber, encrypt);
+ default:
+ throw new GSSException(GSSException.FAILURE, -1, "Unknown encryption type sealAlg = " + sealAlg);
+ }
+
+ int keySize = handler.keySize();
+ byte[] key = getKeyBytesWithLength(keySize);
+ if (encrypt) {
+ return handler.encryptRaw(toProc, key, GssTokenV1.KG_USAGE_SEAL);
+ } else {
+ return handler.decryptRaw(toProc, key, GssTokenV1.KG_USAGE_SEAL);
+ }
+ } catch (KrbException e) {
+ throw new GSSException(GSSException.FAILURE, -1,
+ "Exception in encrypt data sealAlg = " + sealAlg + " : " + e.getMessage());
+ }
+ }
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8432c1a8/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssInitCred.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssInitCred.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssInitCred.java
new file mode 100644
index 0000000..0b2516d
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssInitCred.java
@@ -0,0 +1,53 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gss.impl;
+
+import org.ietf.jgss.GSSException;
+import sun.security.jgss.GSSCaller;
+
+import javax.security.auth.kerberos.KerberosTicket;
+
+public final class GssInitCred extends GssCredElement {
+
+ public KerberosTicket ticket;
+
+ private GssInitCred(GSSCaller caller, GssNameElement name, KerberosTicket ticket, int lifeTime) {
+ super(caller, name);
+ this.ticket = ticket;
+ this.initLifeTime = lifeTime;
+ }
+
+ public static GssInitCred getInstance(GSSCaller caller, GssNameElement name, int lifeTime) throws GSSException {
+ KerberosTicket ticket = CredUtils.getKerberosTicketFromContext(caller, name.getPrincipalName().getName(), null);
+ return new GssInitCred(caller, name, ticket, lifeTime);
+ }
+
+ public boolean isInitiatorCredential() throws GSSException {
+ return true;
+ }
+
+ public boolean isAcceptorCredential() throws GSSException {
+ return false;
+ }
+
+ public KerberosTicket getKerberosTicket() {
+ return ticket;
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8432c1a8/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssNameElement.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssNameElement.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssNameElement.java
new file mode 100644
index 0000000..bd5c8a4
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssNameElement.java
@@ -0,0 +1,135 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gss.impl;
+
+import org.apache.kerby.kerberos.kerb.gss.GssMechFactory;
+import org.apache.kerby.kerberos.kerb.gss.KerbyGssProvider;
+import org.apache.kerby.kerberos.kerb.type.base.NameType;
+import org.apache.kerby.kerberos.kerb.type.base.PrincipalName;
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.GSSName;
+import org.ietf.jgss.Oid;
+import sun.security.jgss.spi.GSSNameSpi;
+import java.io.UnsupportedEncodingException;
+import java.security.Provider;
+
+public class GssNameElement implements GSSNameSpi {
+
+ private PrincipalName principalName;
+ private Oid nameType = null;
+
+ GssNameElement(PrincipalName principalName,
+ Oid nameType) {
+ this.principalName = principalName;
+ this.nameType = nameType;
+ }
+
+ public PrincipalName toKerbyPrincipalName(sun.security.krb5.PrincipalName name) {
+ return new PrincipalName(name.getNameString(), toKerbyNameType(name.getNameType()));
+ }
+
+ private NameType toKerbyNameType(int intNameType) {
+ return NameType.fromValue(intNameType);
+ }
+
+ public static NameType toKerbyNameType(Oid nameType) throws GSSException {
+ NameType kerbyNameType;
+
+ if (nameType == null) {
+ throw new GSSException(GSSException.BAD_NAMETYPE);
+ }
+
+ if (nameType.equals(GSSName.NT_EXPORT_NAME) || nameType.equals(GSSName.NT_USER_NAME)) {
+ kerbyNameType = NameType.NT_PRINCIPAL;
+ } else if (nameType.equals(GSSName.NT_HOSTBASED_SERVICE)) {
+ kerbyNameType = NameType.NT_SRV_HST;
+ } else {
+ throw new GSSException(GSSException.BAD_NAMETYPE, 0, "Unsupported Oid name type");
+ }
+ return kerbyNameType;
+ }
+
+ public static GssNameElement getInstance(String name, Oid oidNameType)
+ throws GSSException {
+ PrincipalName principalName = new PrincipalName(name, toKerbyNameType(oidNameType));
+ return new GssNameElement(principalName, oidNameType);
+ }
+
+ public Provider getProvider() {
+ return new KerbyGssProvider();
+ }
+
+ public boolean equals(GSSNameSpi name) throws GSSException {
+ if (name == null || name.isAnonymousName() || isAnonymousName()) {
+ return false;
+ }
+ return this.toString().equals(name.toString()) && this.getStringNameType().equals(name.getStringNameType());
+ }
+
+ public final PrincipalName getPrincipalName() {
+ return principalName;
+ }
+
+ public boolean equals(Object another) {
+ if (another == null) {
+ return false;
+ }
+
+ try {
+ if (another instanceof GSSNameSpi) {
+ return equals((GSSNameSpi) another);
+ }
+ } catch (GSSException e) {
+ return false;
+ }
+
+ return false;
+ }
+
+ public int hashCode() {
+ return principalName.hashCode();
+ }
+
+ public byte[] export() throws GSSException {
+ byte[] retVal;
+ try {
+ retVal = principalName.getName().getBytes("UTF-8");
+ } catch (UnsupportedEncodingException e) {
+ throw new GSSException(GSSException.BAD_NAME, -1, e.getMessage());
+ }
+ return retVal;
+ }
+
+ public Oid getMechanism() {
+ return GssMechFactory.getOid();
+ }
+
+ public String toString() {
+ return principalName.toString();
+ }
+
+ public Oid getStringNameType() {
+ return nameType;
+ }
+
+ public boolean isAnonymousName() {
+ return nameType.equals(GSSName.NT_ANONYMOUS);
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8432c1a8/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssTokenBase.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssTokenBase.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssTokenBase.java
new file mode 100644
index 0000000..ec66aa5
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssTokenBase.java
@@ -0,0 +1,59 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gss.impl;
+
+
+public abstract class GssTokenBase {
+ public static final int TOKEN_WRAP_V1 = 0x201;
+ public static final int TOKEN_MIC_V1 = 0x101;
+ public static final int TOKEN_WRAP_V2 = 0x504;
+ public static final int TOKEN_MIC_V2 = 0x404;
+
+ public void writeBigEndian(byte[] buf, int offset, int value) {
+ buf[offset] = (byte) (value >>> 24);
+ buf[offset + 1] = (byte) (value >>> 16);
+ buf[offset + 2] = (byte) (value >>> 8);
+ buf[offset + 3] = (byte) (value);
+ }
+
+ public int readBigEndian(byte[] buf, int offset) {
+ int value = 0;
+ value += (buf[offset] & 0xFF) << 24;
+ value += (buf[offset + 1] & 0xFF) << 16;
+ value += (buf[offset + 2] & 0xFF) << 8;
+ value += buf[offset + 3] & 0xFF;
+ return value;
+ }
+
+ /**
+ *
+ * @param buf
+ * @param offset
+ * @param len should not be larger than sizeof(int)
+ * @return
+ */
+ public int readBigEndian(byte[] buf, int offset, int len) {
+ int value = 0;
+ for (int i = 0; i < len; i++) {
+ value += (buf[offset + i] & 0xFF) << 8;
+ }
+ return value;
+ }
+}
[27/50] [abbrv] directory-kerby git commit: Continued on DIRKRB-552
Fail to restart KdcServer.
Posted by co...@apache.org.
Continued on DIRKRB-552 Fail to restart KdcServer.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/0935dbac
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/0935dbac
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/0935dbac
Branch: refs/heads/gssapi
Commit: 0935dbac5ff2c6ffd19db1014a41257db962c7e0
Parents: 7005d51
Author: plusplusjiajia <ji...@intel.com>
Authored: Mon Jun 6 15:26:07 2016 +0800
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 12:25:51 2017 +0100
----------------------------------------------------------------------
.../org/apache/kerby/kerberos/kerb/transport/KdcNetwork.java | 6 ++++++
1 file changed, 6 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/0935dbac/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/transport/KdcNetwork.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/transport/KdcNetwork.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/transport/KdcNetwork.java
index e3d7570..5323225 100644
--- a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/transport/KdcNetwork.java
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/transport/KdcNetwork.java
@@ -106,6 +106,12 @@ public abstract class KdcNetwork {
//CHECKSTYLE:ON
public synchronized void stop() {
+ // TODO: waiting the network closed.
+ try {
+ Thread.sleep(1000);
+ } catch (InterruptedException e) {
+ e.printStackTrace();
+ }
isStopped = true;
}
[47/50] [abbrv] directory-kerby git commit: Remove bin in .gitignore
file.
Posted by co...@apache.org.
Remove bin in .gitignore file.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/35117e22
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/35117e22
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/35117e22
Branch: refs/heads/gssapi
Commit: 35117e225f397d449723fc3b82af762646d9f8e9
Parents: c1a8e51
Author: plusplusjiajia <ji...@intel.com>
Authored: Tue Jun 7 10:23:51 2016 +0800
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 12:25:51 2017 +0100
----------------------------------------------------------------------
.gitignore | 1 -
1 file changed, 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/35117e22/.gitignore
----------------------------------------------------------------------
diff --git a/.gitignore b/.gitignore
index d639513..c0eb2f8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -14,7 +14,6 @@ dependency-reduced-pom.xml
.pmdruleset.xml
.pmd
.checkstyle
-bin/
kerby-dist/kdc-dist/logs/
kerby-dist/tool-dist/logs/
kerby-dist/kdc-dist/conf/krb5.conf
[24/50] [abbrv] directory-kerby git commit: Minor grammatical typos
Posted by co...@apache.org.
Minor grammatical typos
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/28be4b6c
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/28be4b6c
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/28be4b6c
Branch: refs/heads/gssapi
Commit: 28be4b6c10a98f9e9f5267fb86dd5c7800eadae2
Parents: 97c587f
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Wed Jun 15 17:14:16 2016 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 12:25:51 2017 +0100
----------------------------------------------------------------------
.../src/main/java/org/apache/kerby/kerberos/kerb/KrbRuntime.java | 2 +-
.../org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/28be4b6c/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/KrbRuntime.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/KrbRuntime.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/KrbRuntime.java
index c31053e..ff36235 100644
--- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/KrbRuntime.java
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/KrbRuntime.java
@@ -37,7 +37,7 @@ public class KrbRuntime {
*/
public static synchronized TokenProvider getTokenProvider() {
if (tokenProvider == null) {
- throw new RuntimeException("No token provider is hooked into yet");
+ throw new RuntimeException("No token provider is available");
}
return tokenProvider;
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/28be4b6c/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
index 8d44d9f..7b4c79d 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
@@ -208,7 +208,7 @@ public abstract class KdcRequest {
if (paData != null) {
for (PaDataEntry paEntry : paData.getElements()) {
if (paEntry.getPaDataType() == PaDataType.FX_FAST) {
- LOG.info("Found fast padata and start to process it.");
+ LOG.info("Found fast padata and starting to process it.");
KrbFastArmoredReq fastArmoredReq = KrbCodec.decode(paEntry.getPaDataValue(),
KrbFastArmoredReq.class);
KrbFastArmor fastArmor = fastArmoredReq.getArmor();
[04/50] [abbrv] directory-kerby git commit: DIRKRB-559 Validataion of
ApReq and ApRep message in peer node. Contributed by Wei.
Posted by co...@apache.org.
DIRKRB-559 Validataion of ApReq and ApRep message in peer node. Contributed by Wei.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/e41fb489
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/e41fb489
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/e41fb489
Branch: refs/heads/gssapi
Commit: e41fb489f2bfdbfcf3a43f077dd4e28f1035be17
Parents: aa1bd31
Author: plusplusjiajia <ji...@intel.com>
Authored: Wed Apr 27 10:37:47 2016 +0800
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 12:25:02 2017 +0100
----------------------------------------------------------------------
.../kerby/kerberos/kerb/request/ApRequest.java | 37 +++++++++++++++++
.../kerberos/kerb/response/ApResponse.java | 42 ++++++++++++++++----
.../kerby/kerberos/kerb/type/KerberosTime.java | 22 ++++++++++
3 files changed, 94 insertions(+), 7 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/e41fb489/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java
index 82666a6..096b0de 100644
--- a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java
@@ -29,12 +29,15 @@ import org.apache.kerby.kerberos.kerb.type.ap.ApReq;
import org.apache.kerby.kerberos.kerb.type.ap.Authenticator;
import org.apache.kerby.kerberos.kerb.type.base.EncryptedData;
import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
+import org.apache.kerby.kerberos.kerb.type.base.HostAddresses;
import org.apache.kerby.kerberos.kerb.type.base.KeyUsage;
import org.apache.kerby.kerberos.kerb.type.base.PrincipalName;
import org.apache.kerby.kerberos.kerb.type.ticket.EncTicketPart;
import org.apache.kerby.kerberos.kerb.type.ticket.SgtTicket;
import org.apache.kerby.kerberos.kerb.type.ticket.Ticket;
+import java.net.InetAddress;
+
/**
* A wrapper for ApReq request
* The client principal and sgt ticket are needed to create ApReq message.
@@ -118,6 +121,40 @@ public class ApRequest {
}
/*
+ * Validate the ApReq with channel binding and time
+ */
+ public static void validate(EncryptionKey encKey, ApReq apReq,
+ InetAddress initiator,
+ long timeSkew) throws KrbException {
+ validate(encKey, apReq);
+ Ticket ticket = apReq.getTicket();
+ EncTicketPart tktEncPart = ticket.getEncPart();
+ Authenticator authenticator = apReq.getAuthenticator();
+ if (initiator != null) {
+ HostAddresses clientAddrs = tktEncPart.getClientAddresses();
+ if (clientAddrs != null && !clientAddrs.contains(initiator)) {
+ throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADADDR);
+ }
+ }
+
+ if (timeSkew != 0) {
+ if (authenticator.getCtime().isInClockSkew(timeSkew)) {
+ throw new KrbException(KrbErrorCode.KRB_AP_ERR_SKEW);
+ }
+
+ KerberosTime now = KerberosTime.now();
+ KerberosTime startTime = tktEncPart.getStartTime();
+ if (startTime != null && startTime.greaterThanWithSkew(now, timeSkew)) {
+ throw new KrbException(KrbErrorCode.KRB_AP_ERR_TKT_NYV);
+ }
+
+ if (tktEncPart.getEndTime().lessThanWithSkew(now, timeSkew)) {
+ throw new KrbException(KrbErrorCode.KRB_AP_ERR_TKT_EXPIRED);
+ }
+ }
+ }
+
+ /*
* Unseal the authenticator through the encryption key from ticket
*/
public static void unsealAuthenticator(EncryptionKey encKey, ApReq apReq) throws KrbException {
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/e41fb489/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/response/ApResponse.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/response/ApResponse.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/response/ApResponse.java
index 2d01004..344fe83 100644
--- a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/response/ApResponse.java
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/response/ApResponse.java
@@ -19,12 +19,13 @@
*/
package org.apache.kerby.kerberos.kerb.response;
+import org.apache.kerby.kerberos.kerb.KrbErrorCode;
import org.apache.kerby.kerberos.kerb.KrbException;
import org.apache.kerby.kerberos.kerb.common.EncryptionUtil;
import org.apache.kerby.kerberos.kerb.request.ApRequest;
-import org.apache.kerby.kerberos.kerb.type.KerberosTime;
import org.apache.kerby.kerberos.kerb.type.ap.ApRep;
import org.apache.kerby.kerberos.kerb.type.ap.ApReq;
+import org.apache.kerby.kerberos.kerb.type.ap.Authenticator;
import org.apache.kerby.kerberos.kerb.type.ap.EncAPRepPart;
import org.apache.kerby.kerberos.kerb.type.base.EncryptedData;
import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
@@ -43,8 +44,14 @@ public class ApResponse {
this.encryptionKey = encryptionKey;
}
+ public ApResponse(ApReq apReq) {
+ this.apReq = apReq;
+ }
+
public ApRep getApRep() throws KrbException {
- ApRequest.validate(encryptionKey, apReq);
+ if (encryptionKey != null) {
+ ApRequest.validate(encryptionKey, apReq);
+ }
if (apRep == null) {
apRep = makeApRep();
@@ -64,17 +71,38 @@ public class ApResponse {
ApRep apRep = new ApRep();
EncAPRepPart encAPRepPart = new EncAPRepPart();
+
+ Authenticator auth = apReq.getAuthenticator();
// This field contains the current time on the client's host.
- encAPRepPart.setCtime(KerberosTime.now());
+ encAPRepPart.setCtime(auth.getCtime());
// This field contains the microsecond part of the client's timestamp.
- encAPRepPart.setCusec((int) KerberosTime.now().getTimeInSeconds());
- encAPRepPart.setSubkey(apReq.getAuthenticator().getSubKey());
+ encAPRepPart.setCusec(auth.getCusec());
+ encAPRepPart.setSubkey(auth.getSubKey());
encAPRepPart.setSeqNumber(0);
apRep.setEncRepPart(encAPRepPart);
- EncryptedData encPart = EncryptionUtil.seal(encAPRepPart,
- apReq.getAuthenticator().getSubKey(), KeyUsage.AP_REP_ENCPART);
+ EncryptedData encPart = EncryptionUtil.seal(encAPRepPart, auth.getSubKey(), KeyUsage.AP_REP_ENCPART);
apRep.setEncryptedEncPart(encPart);
return apRep;
}
+
+ /**
+ * Validation for KRB_AP_REP message
+ * @param encKey key used to encrypt encrypted part of KRB_AP_REP message
+ * @param apRep KRB_AP_REP message received
+ * @param apReqSent the KRB_AP_REQ message that caused the KRB_AP_REP message from server
+ * @throws KrbException
+ */
+ public static void validate(EncryptionKey encKey, ApRep apRep, ApReq apReqSent) throws KrbException {
+ EncAPRepPart encPart = EncryptionUtil.unseal(apRep.getEncryptedEncPart(),
+ encKey, KeyUsage.AP_REP_ENCPART, EncAPRepPart.class);
+ apRep.setEncRepPart(encPart);
+ if (apReqSent != null) {
+ Authenticator auth = apReqSent.getAuthenticator();
+ if (!encPart.getCtime().equals(auth.getCtime())
+ || encPart.getCusec() != auth.getCusec()) {
+ throw new KrbException(KrbErrorCode.KRB_AP_ERR_MUT_FAIL);
+ }
+ }
+ }
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/e41fb489/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/KerberosTime.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/KerberosTime.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/KerberosTime.java
index c89b0cc..e3da3b1 100644
--- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/KerberosTime.java
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/KerberosTime.java
@@ -107,6 +107,17 @@ public class KerberosTime extends Asn1GeneralizedTime {
/**
* Compare the KerberosTime with another one, and return <tt>true</tt>
+ * if it's lesser than the provided one with time skew
+ * @param ktime
+ * @param skew Maximum time skew in milliseconds
+ * @return <tt>true</tt> if less
+ */
+ public boolean lessThanWithSkew(KerberosTime ktime, long skew) {
+ return diff(ktime) - skew <= 0;
+ }
+
+ /**
+ * Compare the KerberosTime with another one, and return <tt>true</tt>
* if it's greater than the provided one
*
* @param ktime compare with milliseconds
@@ -117,6 +128,17 @@ public class KerberosTime extends Asn1GeneralizedTime {
}
/**
+ * Compare the KerberosTime with another one, and return <tt>true</tt>
+ * if it's greater than the provided one with time skew
+ * @param ktime
+ * @param skew Maximum time skew in milliseconds
+ * @return <tt>true</tt> if greater
+ */
+ public boolean greaterThanWithSkew(KerberosTime ktime, long skew) {
+ return diff(ktime) + skew >= 0;
+ }
+
+ /**
* Check if the KerberosTime is within the provided clock skew
*
* @param clockSkew The clock skew
[45/50] [abbrv] directory-kerby git commit: Spelling typo
Posted by co...@apache.org.
Spelling typo
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/83b95b77
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/83b95b77
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/83b95b77
Branch: refs/heads/gssapi
Commit: 83b95b770537ac2f4b8f64110537278f84e11a33
Parents: cdb20f1
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Wed Jun 15 17:22:54 2016 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 12:25:51 2017 +0100
----------------------------------------------------------------------
.../src/main/java/org/apache/kerby/kerberos/kerb/KrbErrorCode.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/83b95b77/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/KrbErrorCode.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/KrbErrorCode.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/KrbErrorCode.java
index b7f3df3..30ddc0b 100644
--- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/KrbErrorCode.java
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/KrbErrorCode.java
@@ -98,7 +98,7 @@ public enum KrbErrorCode implements EnumType {
TOKEN_PREAUTH_NOT_ALLOWED(82, "Token preauth is not allowed"),
KRB_TIMEOUT(5000, "Network timeout"),
- UNKNOWN_ERR(5001, "Unknow error");
+ UNKNOWN_ERR(5001, "Unknown error");
private final int value;
private final String message;
[49/50] [abbrv] directory-kerby git commit: DIRKRB-587 - Load JWT
verification key from classpath as well
Posted by co...@apache.org.
DIRKRB-587 - Load JWT verification key from classpath as well
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/050c3d0e
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/050c3d0e
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/050c3d0e
Branch: refs/heads/gssapi
Commit: 050c3d0e17f93dde95eed52aa5055adaf78a3a44
Parents: 83b95b7
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Wed Jun 15 17:29:55 2016 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 12:25:51 2017 +0100
----------------------------------------------------------------------
.../kerb/server/preauth/token/TokenPreauth.java | 50 ++++++++++----------
1 file changed, 24 insertions(+), 26 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/050c3d0e/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
index f4580fc..34fec85 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
@@ -48,6 +48,7 @@ import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
+import java.io.InputStream;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.util.List;
@@ -123,39 +124,35 @@ public class TokenPreauth extends AbstractPreauthPlugin {
private void configureKeys(TokenDecoder tokenDecoder, KdcRequest kdcRequest, String issuer) {
String verifyKeyPath = kdcRequest.getKdcContext().getConfig().getVerifyKeyConfig();
if (verifyKeyPath != null) {
- File verifyKeyFile = getKeyFile(verifyKeyPath, issuer);
- if (verifyKeyFile != null) {
- PublicKey verifyKey = null;
- try {
- FileInputStream fis = new FileInputStream(verifyKeyFile);
- verifyKey = PublicKeyReader.loadPublicKey(fis);
- } catch (FileNotFoundException e) {
- e.printStackTrace();
- } catch (Exception e) {
- e.printStackTrace();
+ try {
+ InputStream verifyKeyFile = getKeyFileStream(verifyKeyPath, issuer);
+ if (verifyKeyFile != null) {
+ PublicKey verifyKey = PublicKeyReader.loadPublicKey(verifyKeyFile);
+ tokenDecoder.setVerifyKey(verifyKey);
}
- tokenDecoder.setVerifyKey(verifyKey);
+ } catch (FileNotFoundException e) {
+ e.printStackTrace();
+ } catch (Exception e) {
+ e.printStackTrace();
}
}
String decryptionKeyPath = kdcRequest.getKdcContext().getConfig().getDecryptionKeyConfig();
if (decryptionKeyPath != null) {
- File decryptionKeyFile = getKeyFile(decryptionKeyPath, issuer);
- if (decryptionKeyFile != null) {
- PrivateKey decryptionKey = null;
- try {
- FileInputStream fis = new FileInputStream(decryptionKeyFile);
- decryptionKey = PrivateKeyReader.loadPrivateKey(fis);
- } catch (FileNotFoundException e) {
- e.printStackTrace();
- } catch (Exception e) {
- e.printStackTrace();
+ try {
+ InputStream decryptionKeyFile = getKeyFileStream(decryptionKeyPath, issuer);
+ if (decryptionKeyFile != null) {
+ PrivateKey decryptionKey = PrivateKeyReader.loadPrivateKey(decryptionKeyFile);
+ tokenDecoder.setDecryptionKey(decryptionKey);
}
- tokenDecoder.setDecryptionKey(decryptionKey);
+ } catch (FileNotFoundException e) {
+ e.printStackTrace();
+ } catch (Exception e) {
+ e.printStackTrace();
}
}
}
- private File getKeyFile(String path, String issuer) {
+ private InputStream getKeyFileStream(String path, String issuer) throws FileNotFoundException {
File file = new File(path);
if (file.isDirectory()) {
File[] listOfFiles = file.listFiles();
@@ -170,11 +167,12 @@ public class TokenPreauth extends AbstractPreauthPlugin {
break;
}
}
- return verifyKeyFile;
+ return new FileInputStream(verifyKeyFile);
} else if (file.isFile()) {
- return file;
+ return new FileInputStream(file);
}
- return null;
+ // Not a directory or a file...maybe it's a resource on the classpath
+ return this.getClass().getClassLoader().getResourceAsStream(path);
}
}
[12/50] [abbrv] directory-kerby git commit: Revert "DIRKRB-424 Need
to initialize the log4j system properly."
Posted by co...@apache.org.
Revert "DIRKRB-424 Need to initialize the log4j system properly."
This reverts commit eff5d0ca70f6c1d21b68409615dab12ceec4cf1b.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/c1f4c861
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/c1f4c861
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/c1f4c861
Branch: refs/heads/gssapi
Commit: c1f4c861a93faf62395dc1d872e41938fe3d5b06
Parents: e41fb48
Author: plusplusjiajia <ji...@intel.com>
Authored: Wed Apr 27 15:42:43 2016 +0800
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 12:25:02 2017 +0100
----------------------------------------------------------------------
.../src/main/resources/log4j.properties | 23 --------------------
1 file changed, 23 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/c1f4c861/kerby-kerb/kerb-identity/src/main/resources/log4j.properties
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-identity/src/main/resources/log4j.properties b/kerby-kerb/kerb-identity/src/main/resources/log4j.properties
deleted file mode 100644
index 3c91c57..0000000
--- a/kerby-kerb/kerb-identity/src/main/resources/log4j.properties
+++ /dev/null
@@ -1,23 +0,0 @@
-#############################################################################
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements. See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#############################################################################
-log4j.rootLogger=ERROR, console
-
-
-log4j.appender.console=org.apache.log4j.ConsoleAppender
-log4j.appender.console.layout=org.apache.log4j.PatternLayout
-log4j.appender.console.layout.ConversionPattern=%d{ISO8601} %-5p [%t] %c{2}: %m%n
-
[22/50] [abbrv] directory-kerby git commit: DIRKRB-566 Implement Gss
tokens defined in RFC 1964. Contributed by Wei.
Posted by co...@apache.org.
DIRKRB-566 Implement Gss tokens defined in RFC 1964. Contributed by Wei.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/81eba4da
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/81eba4da
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/81eba4da
Branch: refs/heads/gssapi
Commit: 81eba4da6463edefcab28cdb931d06b0f3d6837d
Parents: e55fb7a
Author: plusplusjiajia <ji...@intel.com>
Authored: Mon May 16 15:32:51 2016 +0800
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 12:25:02 2017 +0100
----------------------------------------------------------------------
.../kerberos/kerb/gssapi/krb5/CredUtils.java | 8 +-
.../kerberos/kerb/gssapi/krb5/KerbyContext.java | 33 +-
.../kerb/gssapi/krb5/KerbyGssEncryptor.java | 300 +++++++++++++++--
.../kerb/gssapi/krb5/KerbyGssTokenV1.java | 319 +++++++++++++++++++
.../kerberos/kerb/gssapi/krb5/MicTokenV1.java | 92 ++++++
.../kerberos/kerb/gssapi/krb5/WrapTokenV1.java | 196 ++++++++++++
.../kerberos/kerb/gssapi/krb5/WrapTokenV2.java | 9 +-
7 files changed, 921 insertions(+), 36 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/81eba4da/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/CredUtils.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/CredUtils.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/CredUtils.java
index 6d066db..f7ddc31 100644
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/CredUtils.java
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/CredUtils.java
@@ -4,10 +4,7 @@ import org.ietf.jgss.GSSException;
import sun.security.jgss.GSSCaller;
import javax.security.auth.Subject;
-import javax.security.auth.kerberos.KerberosPrincipal;
-import javax.security.auth.kerberos.KerberosTicket;
-import javax.security.auth.kerberos.KeyTab;
-import javax.security.auth.kerberos.ServicePermission;
+import javax.security.auth.kerberos.*;
import java.security.AccessControlContext;
import java.security.AccessController;
import java.security.PrivilegedActionException;
@@ -55,7 +52,8 @@ public class CredUtils {
public static KeyTab getKeyTabFromContext(KerberosPrincipal principal) throws GSSException {
Set<KeyTab> tabs = getContextCredentials(KeyTab.class);
for (KeyTab tab : tabs) {
- if (tab.getPrincipal().equals(principal)) {
+ KerberosKey[] keys = tab.getKeys(principal);
+ if (keys != null && keys.length > 0) {
return tab;
}
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/81eba4da/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
index 1496cac..0bdd360 100644
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
@@ -469,7 +469,11 @@ public class KerbyContext implements GSSContextSpi {
public int getWrapSizeLimit(int qop, boolean confReq, int maxTokSize)
throws GSSException {
- return 65536; // TODO: to be implemented
+ if (gssEncryptor.isV2()) {
+ return WrapTokenV2.getMsgSizeLimit(qop, confReq, maxTokSize, gssEncryptor);
+ } else {
+ return WrapTokenV1.getMsgSizeLimit(qop, confReq, maxTokSize, gssEncryptor);
+ }
}
public void wrap(InputStream is, OutputStream os, MessageProp msgProp)
@@ -490,6 +494,9 @@ public class KerbyContext implements GSSContextSpi {
if (gssEncryptor.isV2()) {
WrapTokenV2 token = new WrapTokenV2(this, inBuf, 0, len, msgProp);
token.wrap(os);
+ } else {
+ WrapTokenV1 token = new WrapTokenV1(this, inBuf, 0, len, msgProp);
+ token.wrap(os);
}
}
@@ -498,10 +505,13 @@ public class KerbyContext implements GSSContextSpi {
if (ctxState != STATE_ESTABLISHED) {
throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for wrap");
}
- byte[] ret = null;
+ byte[] ret;
if (gssEncryptor.isV2()) {
WrapTokenV2 token = new WrapTokenV2(this, inBuf, offset, len, msgProp);
ret = token.wrap();
+ } else {
+ WrapTokenV1 token = new WrapTokenV1(this, inBuf, offset, len, msgProp);
+ ret = token.wrap();
}
return ret;
}
@@ -515,6 +525,9 @@ public class KerbyContext implements GSSContextSpi {
if (gssEncryptor.isV2()) {
WrapTokenV2 token = new WrapTokenV2(this, msgProp, is);
token.unwrap(os);
+ } else {
+ WrapTokenV1 token = new WrapTokenV1(this, msgProp, is);
+ token.unwrap(os);
}
}
@@ -524,10 +537,13 @@ public class KerbyContext implements GSSContextSpi {
throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for unwrap");
}
- byte[] ret = null;
+ byte[] ret;
if (gssEncryptor.isV2()) {
WrapTokenV2 token = new WrapTokenV2(this, msgProp, inBuf, offset, len);
ret = token.unwrap();
+ } else {
+ WrapTokenV1 token = new WrapTokenV1(this, msgProp, inBuf, offset, len);
+ ret = token.unwrap();
}
return ret;
}
@@ -545,6 +561,9 @@ public class KerbyContext implements GSSContextSpi {
if (gssEncryptor.isV2()) {
MicTokenV2 token = new MicTokenV2(this, inMsg, 0, len, msgProp);
token.getMic(os);
+ } else {
+ MicTokenV1 token = new MicTokenV1(this, inMsg, 0, len, msgProp);
+ token.getMic(os);
}
} catch (IOException e) {
throw new GSSException(GSSException.FAILURE, -1, "Error when get user data in getMIC:" + e.getMessage());
@@ -557,10 +576,13 @@ public class KerbyContext implements GSSContextSpi {
throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for getMIC");
}
- byte[] ret = null;
+ byte[] ret;
if (gssEncryptor.isV2()) {
MicTokenV2 token = new MicTokenV2(this, inMsg, offset, len, msgProp);
ret = token.getMic();
+ } else {
+ MicTokenV1 token = new MicTokenV1(this, inMsg, offset, len, msgProp);
+ ret = token.getMic();
}
return ret;
}
@@ -594,6 +616,9 @@ public class KerbyContext implements GSSContextSpi {
if (gssEncryptor.isV2()) {
MicTokenV2 token = new MicTokenV2(this, msgProp, inTok, tokOffset, tokLen);
token.verify(inMsg, msgOffset, msgLen);
+ } else {
+ MicTokenV1 token = new MicTokenV1(this, msgProp, inTok, tokOffset, tokLen);
+ token.verify(inMsg, msgOffset, msgLen);
}
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/81eba4da/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssEncryptor.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssEncryptor.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssEncryptor.java
index d65346b..9aff63e 100644
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssEncryptor.java
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssEncryptor.java
@@ -25,29 +25,66 @@ import org.apache.kerby.kerberos.kerb.crypto.CheckSumHandler;
import org.apache.kerby.kerberos.kerb.crypto.CheckSumTypeHandler;
import org.apache.kerby.kerberos.kerb.crypto.EncTypeHandler;
import org.apache.kerby.kerberos.kerb.crypto.EncryptionHandler;
+import org.apache.kerby.kerberos.kerb.crypto.cksum.provider.Md5Provider;
+import org.apache.kerby.kerberos.kerb.crypto.enc.provider.DesProvider;
+import org.apache.kerby.kerberos.kerb.crypto.enc.provider.Rc4Provider;
import org.apache.kerby.kerberos.kerb.type.base.CheckSumType;
import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
import org.apache.kerby.kerberos.kerb.type.base.EncryptionType;
import org.ietf.jgss.GSSException;
+import javax.crypto.Mac;
+import javax.crypto.SecretKey;
+import javax.crypto.spec.SecretKeySpec;
+
/**
* This class implements encryption related function used in GSS tokens
*/
public class KerbyGssEncryptor {
- private EncryptionKey encKey;
+ private final EncryptionKey encKey;
+ private final EncryptionType encKeyType; // The following two variables used for convenience
+ private final byte[] encKeyBytes;
+
+ private CheckSumType checkSumTypeDef;
+ private int checkSumSize;
+
private boolean isV2 = false;
+ private int sgnAlg = 0xFFFF;
+ private int sealAlg = 0xFFFF;
+ private boolean isArcFourHmac = false;
+
+ private static final byte[] IV_ZEROR_8B = new byte[8];
public KerbyGssEncryptor(EncryptionKey key) throws GSSException {
encKey = key;
- EncryptionType keyType = key.getKeyType();
- // TODO: add support for other algorithms
- if (keyType == EncryptionType.AES128_CTS_HMAC_SHA1_96
- || keyType == EncryptionType.AES256_CTS_HMAC_SHA1_96) {
+ encKeyBytes = encKey.getKeyData();
+ encKeyType = key.getKeyType();
+
+ if (encKeyType == EncryptionType.AES128_CTS_HMAC_SHA1_96) {
+ checkSumSize = 12;
+ checkSumTypeDef = CheckSumType.HMAC_SHA1_96_AES128;
isV2 = true;
+ } else if (encKeyType == EncryptionType.AES256_CTS_HMAC_SHA1_96) {
+ checkSumSize = 12;
+ checkSumTypeDef = CheckSumType.HMAC_SHA1_96_AES256;
+ isV2 = true;
+ } else if (encKeyType == EncryptionType.DES_CBC_CRC || encKeyType == EncryptionType.DES_CBC_MD5) {
+ sgnAlg = KerbyGssTokenV1.SGN_ALG_DES_MAC_MD5;
+ sealAlg = KerbyGssTokenV1.SEAL_ALG_DES;
+ checkSumSize = 8;
+ } else if (encKeyType == EncryptionType.DES3_CBC_SHA1) {
+ sgnAlg = KerbyGssTokenV1.SGN_ALG_HMAC_SHA1_DES3_KD;
+ sealAlg = KerbyGssTokenV1.SEAL_ALG_DES3_KD;
+ checkSumSize = 20;
+ } else if (encKeyType == EncryptionType.ARCFOUR_HMAC) {
+ sgnAlg = KerbyGssTokenV1.SGN_ALG_RC4_HMAC;
+ sealAlg = KerbyGssTokenV1.SEAL_ALG_RC4_HMAC;
+ checkSumSize = 16;
+ isArcFourHmac = true;
} else {
throw new GSSException(GSSException.FAILURE, -1,
- "Invalid encryption type: " + key.getKeyType().getDisplayName());
+ "Invalid encryption type: " + encKeyType.getDisplayName());
}
}
@@ -59,6 +96,18 @@ public class KerbyGssEncryptor {
return isV2;
}
+ public int getSgnAlg() {
+ return sgnAlg;
+ }
+
+ public int getSealAlg() {
+ return sealAlg;
+ }
+
+ public boolean isArcFourHmac() {
+ return isArcFourHmac;
+ }
+
public byte[] encryptData(byte[] tokenHeader, byte[] data,
int offset, int len, int keyUsage) throws GSSException {
byte[] ret;
@@ -102,37 +151,238 @@ public class KerbyGssEncryptor {
}
try {
- return getCheckSumHandler().checksumWithKey(buffer, encKey.getKeyData(), keyUsage);
+ return CheckSumHandler.getCheckSumHandler(checkSumTypeDef)
+ .checksumWithKey(buffer, encKey.getKeyData(), keyUsage);
} catch (KrbException e) {
throw new GSSException(GSSException.FAILURE, -1,
- "Exception in checksum calculation:" + encKey.getKeyType().getName());
+ "Exception in checksum calculation:" + e.getMessage());
+ }
+ }
+
+ /**
+ * Get the size of the corresponding checksum algorithm
+ * @return
+ * @throws GSSException
+ */
+ public int getCheckSumSize() throws GSSException {
+ return checkSumSize;
+ }
+
+
+ private void addPadding(int paddingLen, byte[] outBuf, int offset) {
+ for (int i = 0; i < paddingLen; i++) {
+ outBuf[offset + i] = (byte) paddingLen;
+ }
+ }
+
+ private byte[] getFirstBytes(byte[] src, int len) {
+ if (len < src.length) {
+ byte[] ret = new byte[len];
+ System.arraycopy(src, 0, ret, 0, len);
+ return ret;
}
+ return src;
}
- private CheckSumTypeHandler getCheckSumHandler() throws GSSException {
- CheckSumType checkSumType;
- if (encKey.getKeyType() == EncryptionType.AES128_CTS_HMAC_SHA1_96) {
- checkSumType = CheckSumType.HMAC_SHA1_96_AES128;
- } else if (encKey.getKeyType() == EncryptionType.AES256_CTS_HMAC_SHA1_96) {
- checkSumType = CheckSumType.HMAC_SHA1_96_AES256;
+ private byte[] getKeyBytesWithLength(int len) {
+ return getFirstBytes(encKeyBytes, len);
+ }
+
+ public byte[] calculateCheckSum(byte[] confounder, byte[] header,
+ byte[] data, int offset, int len, int paddingLen, boolean isMic)
+ throws GSSException {
+ byte[] ret;
+ int keyUsage = KerbyGssTokenV1.KG_USAGE_SIGN;
+ CheckSumTypeHandler handler;
+
+ int keySize;
+ byte[] key;
+ byte[] toProc;
+ int toOffset;
+ int toLen = (confounder == null ? 0 : confounder.length)
+ + (header == null ? 0 : header.length) + len + paddingLen;
+ if (toLen == len) {
+ toProc = data;
+ toOffset = offset;
} else {
+ toOffset = 0;
+ int idx = 0;
+ toProc = new byte[toLen];
+
+ if (header != null) {
+ System.arraycopy(header, 0, toProc, idx, header.length);
+ idx += header.length;
+ }
+
+ if (confounder != null) {
+ System.arraycopy(confounder, 0, toProc, idx, confounder.length);
+ idx += confounder.length;
+ }
+
+ System.arraycopy(data, offset, toProc, idx, len);
+ addPadding(paddingLen, toProc, len + idx);
+ }
+
+ CheckSumType chksumType;
+ try {
+ switch (sgnAlg) {
+ case KerbyGssTokenV1.SGN_ALG_DES_MAC_MD5:
+ Md5Provider md5Provider = new Md5Provider();
+ md5Provider.hash(toProc);
+ toProc = md5Provider.output();
+
+ case KerbyGssTokenV1.SGN_ALG_DES_MAC:
+ DesProvider desProvider = new DesProvider();
+ return desProvider.cbcMac(encKeyBytes, IV_ZEROR_8B, toProc);
+
+ case KerbyGssTokenV1.SGN_ALG_HMAC_SHA1_DES3_KD:
+ chksumType = CheckSumType.HMAC_SHA1_DES3_KD;
+ break;
+ case KerbyGssTokenV1.SGN_ALG_RC4_HMAC:
+ chksumType = CheckSumType.MD5_HMAC_ARCFOUR;
+ if (isMic) {
+ keyUsage = KerbyGssTokenV1.KG_USAGE_MS_SIGN;
+ }
+ break;
+ case KerbyGssTokenV1.SGN_ALG_MD25:
+ throw new GSSException(GSSException.FAILURE, -1, "CheckSum not implemented for SGN_ALG_MD25");
+ default:
+ throw new GSSException(GSSException.FAILURE, -1, "CheckSum not implemented for sgnAlg=" + sgnAlg);
+ }
+ handler = CheckSumHandler.getCheckSumHandler(chksumType);
+ keySize = handler.keySize();
+ key = getKeyBytesWithLength(keySize);
+ ret = handler.checksumWithKey(toProc, toOffset, toLen, key, keyUsage);
+ } catch (KrbException e) {
throw new GSSException(GSSException.FAILURE, -1,
- "Unsupported checksum encryption type:" + encKey.getKeyType().getName());
+ "Exception in checksum calculation sgnAlg = " + sgnAlg + " : " + e.getMessage());
}
+ return ret;
+ }
+
+ public byte[] encryptSequenceNumber(byte[] seqBytes, byte[] ivSrc, boolean encrypt)
+ throws GSSException {
+ EncTypeHandler handler;
try {
- return CheckSumHandler.getCheckSumHandler(checkSumType);
+ switch (sgnAlg) {
+ case KerbyGssTokenV1.SGN_ALG_DES_MAC_MD5:
+ case KerbyGssTokenV1.SGN_ALG_DES_MAC:
+ DesProvider desProvider = new DesProvider();
+ byte[] data = seqBytes.clone();
+ if (encrypt) {
+ desProvider.encrypt(encKeyBytes, ivSrc, data);
+ } else {
+ desProvider.decrypt(encKeyBytes, ivSrc, data);
+ }
+ return data;
+ case KerbyGssTokenV1.SGN_ALG_HMAC_SHA1_DES3_KD:
+ handler = EncryptionHandler.getEncHandler(EncryptionType.DES3_CBC_SHA1_KD);
+ break;
+ case KerbyGssTokenV1.SGN_ALG_RC4_HMAC:
+ return encryptArcFourHmac(seqBytes, getKeyBytesWithLength(16), getFirstBytes(ivSrc, 8), encrypt);
+ case KerbyGssTokenV1.SGN_ALG_MD25:
+ throw new GSSException(GSSException.FAILURE, -1, "EncSeq not implemented for SGN_ALG_MD25");
+ default:
+ throw new GSSException(GSSException.FAILURE, -1, "EncSeq not implemented for sgnAlg=" + sgnAlg);
+ }
+ int keySize = handler.keySize();
+ byte[] key = getKeyBytesWithLength(keySize);
+ int ivLen = handler.encProvider().blockSize();
+ byte[] iv = getFirstBytes(ivSrc, ivLen);
+ if (encrypt) {
+ return handler.encryptRaw(seqBytes, key, iv, KerbyGssTokenV1.KG_USAGE_SEQ);
+ } else {
+ return handler.decryptRaw(seqBytes, key, iv, KerbyGssTokenV1.KG_USAGE_SEQ);
+ }
} catch (KrbException e) {
throw new GSSException(GSSException.FAILURE, -1,
- "Unsupported checksum type:" + checkSumType.getName());
+ "Exception in encrypt seq number sgnAlg = " + sgnAlg + " : " + e.getMessage());
}
}
- /**
- * Get the size of the corresponding checksum algorithm
- * @return
- * @throws GSSException
- */
- public int getCheckSumSize() throws GSSException {
- return getCheckSumHandler().cksumSize();
+ private byte[] getHmacMd5(byte[] key, byte[] salt) throws GSSException {
+ try {
+ SecretKey secretKey = new SecretKeySpec(key, "HmacMD5");
+ Mac mac = Mac.getInstance("HmacMD5");
+ mac.init(secretKey);
+ return mac.doFinal(salt);
+ } catch (Exception e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Get HmacMD5 failed: " + e.getMessage());
+ }
+ }
+
+ private byte[] encryptArcFourHmac(byte[] data, byte[] key, byte[] iv, boolean encrypt)
+ throws GSSException {
+ byte[] sk1 = getHmacMd5(key, new byte[4]);
+ byte[] sk2 = getHmacMd5(sk1, iv);
+ Rc4Provider provider = new Rc4Provider();
+ try {
+ byte[] ret = data.clone();
+ if (encrypt) {
+ provider.encrypt(sk2, ret);
+ } else {
+ provider.decrypt(sk2, ret);
+ }
+ return ret;
+ } catch (KrbException e) {
+ throw new GSSException(GSSException.FAILURE, -1,
+ "En/Decrypt sequence failed for ArcFourHmac: " + e.getMessage());
+ }
+ }
+
+ private byte[] encryptDataArcFourHmac(byte[] data, byte[] key, byte[] seqNum, boolean encrypt) throws GSSException {
+ byte[] dataKey = new byte[key.length];
+ for (int i = 0; i <= 15; i++) {
+ dataKey[i] = (byte) (key[i] ^ 0xF0);
+ }
+ return encryptArcFourHmac(data, dataKey, seqNum, encrypt);
+ }
+
+ public byte[] encryptTokenV1(byte[] confounder, byte[] data, int offset, int len,
+ int paddingLen, byte[] seqNumber, boolean encrypt) throws GSSException {
+ byte[] toProc;
+ if (encrypt) {
+ int toLen = (confounder == null ? 0 : confounder.length) + len + paddingLen;
+ int index = 0;
+ toProc = new byte[toLen];
+ if (confounder != null) {
+ System.arraycopy(confounder, 0, toProc, 0, confounder.length);
+ index += confounder.length;
+ }
+ System.arraycopy(data, offset, toProc, index, len);
+ addPadding(paddingLen, toProc, index + len);
+ } else {
+ toProc = data;
+ if (data.length != len) {
+ toProc = new byte[len];
+ System.arraycopy(data, offset, toProc, 0, len);
+ }
+ }
+ EncTypeHandler handler;
+ try {
+ switch (sealAlg) {
+ case KerbyGssTokenV1.SEAL_ALG_DES:
+ handler = EncryptionHandler.getEncHandler(EncryptionType.DES_CBC_MD5);
+ break;
+ case KerbyGssTokenV1.SEAL_ALG_DES3_KD:
+ handler = EncryptionHandler.getEncHandler(EncryptionType.DES3_CBC_SHA1_KD);
+ break;
+ case KerbyGssTokenV1.SEAL_ALG_RC4_HMAC:
+ return encryptDataArcFourHmac(toProc, getKeyBytesWithLength(16), seqNumber, encrypt);
+ default:
+ throw new GSSException(GSSException.FAILURE, -1, "Unknown encryption type sealAlg = " + sealAlg);
+ }
+
+ int keySize = handler.keySize();
+ byte[] key = getKeyBytesWithLength(keySize);
+ if (encrypt) {
+ return handler.encryptRaw(toProc, key, KerbyGssTokenV1.KG_USAGE_SEAL);
+ } else {
+ return handler.decryptRaw(toProc, key, KerbyGssTokenV1.KG_USAGE_SEAL);
+ }
+ } catch (KrbException e) {
+ throw new GSSException(GSSException.FAILURE, -1,
+ "Exception in encrypt data sealAlg = " + sealAlg + " : " + e.getMessage());
+ }
}
-}
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/81eba4da/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssTokenV1.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssTokenV1.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssTokenV1.java
new file mode 100644
index 0000000..6b1a2c7
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssTokenV1.java
@@ -0,0 +1,319 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gssapi.krb5;
+
+
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.MessageProp;
+import sun.security.jgss.GSSHeader;
+import sun.security.util.ObjectIdentifier;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.security.MessageDigest;
+
+/**
+ * This class implements the token formats defined in RFC 1964 and its updates
+ *
+ * The GSS Wrap token has the following format:
+ *
+ * Byte no Name Description
+ * 0..1 TOK_ID 0201
+ *
+ * 2..3 SGN_ALG Checksum algorithm indicator.
+ * 00 00 DES MAC MD5
+ * 01 00 MD2.5
+ * 02 00 DES MAC
+ * 04 00 HMAC SHA1 DES3-KD
+ * 11 00 RC4-HMAC used by Microsoft Windows, RFC 4757
+ * 4..5 SEAL_ALG ff ff none
+ * 00 00 DES
+ * 02 00 DES3-KD
+ * 10 00 RC4-HMAC
+ * 6..7 Filler FF FF
+ * 8..15 SND_SEQ Encrypted sequence number field.
+ * 16..23 SNG_CKSUM Checksum of plaintext padded data,
+ * calculated according to algorithm
+ * specified in SGN_ALG field.
+ * 24.. Data Encrypted or plaintext padded data
+ *
+ *
+ *
+ * Use of the GSS MIC token has the following format:
+
+ * Byte no Name Description
+ * 0..1 TOK_ID 0101
+ * 2..3 SGN_ALG Integrity algorithm indicator.
+ * 4..7 Filler Contains ff ff ff ff
+ * 8..15 SND_SEQ Sequence number field.
+ * 16..23 SGN_CKSUM Checksum of "to-be-signed data",
+ * calculated according to algorithm
+ * specified in SGN_ALG field.
+ *
+ */
+abstract class KerbyGssTokenV1 extends KerbyGssTokenBase {
+ // SGN ALG
+ public static final int SGN_ALG_DES_MAC_MD5 = 0;
+ public static final int SGN_ALG_MD25 = 0x0100;
+ public static final int SGN_ALG_DES_MAC = 0x0200;
+ public static final int SGN_ALG_HMAC_SHA1_DES3_KD = 0x0400;
+ public static final int SGN_ALG_RC4_HMAC = 0x1100;
+
+ // SEAL ALG
+ public static final int SEAL_ALG_NONE = 0xFFFF;
+ public static final int SEAL_ALG_DES = 0x0; // "DES/CBC/NoPadding"
+ public static final int SEAL_ALG_DES3_KD = 0x0200;
+ public static final int SEAL_ALG_RC4_HMAC = 0x1000;
+
+ public static final int KG_USAGE_SEAL = 22;
+ public static final int KG_USAGE_SIGN = 23;
+ public static final int KG_USAGE_SEQ = 24;
+ public static final int KG_USAGE_MS_SIGN = 15;
+
+ private boolean isInitiator;
+ private boolean confState;
+ private int sequenceNumber;
+
+ protected KerbyGssEncryptor encryptor;
+
+ private GSSHeader gssHeader;
+
+ public static final int TOKEN_HEADER_COMM_SIZE = 8;
+ public static final int TOKEN_HEADER_SEQ_SIZE = 8;
+
+ // Token commHeader data
+ private int tokenType;
+ private byte[] commHeader = new byte[TOKEN_HEADER_COMM_SIZE];
+ private int sgnAlg;
+ private int sealAlg;
+
+ private byte[] plainSequenceBytes;
+ private byte[] encryptedSequenceNumber = new byte[TOKEN_HEADER_SEQ_SIZE];
+ private byte[] checkSum;
+ private int checkSumSize;
+
+ protected int reconHeaderLen; // only used for certain reason
+
+ public static ObjectIdentifier objId;
+
+ static {
+ try {
+ objId = new ObjectIdentifier("1.2.840.113554.1.2.2");
+ } catch (IOException ioe) { // NOPMD
+ }
+ }
+
+ protected int getTokenHeaderSize() {
+ return TOKEN_HEADER_COMM_SIZE + TOKEN_HEADER_SEQ_SIZE + checkSumSize;
+ }
+
+ protected byte[] getPlainSequenceBytes() {
+ byte[] ret = new byte[4];
+ ret[0] = plainSequenceBytes[0];
+ ret[1] = plainSequenceBytes[1];
+ ret[2] = plainSequenceBytes[2];
+ ret[3] = plainSequenceBytes[3];
+ return ret;
+ }
+
+ // Generate a new token
+ KerbyGssTokenV1(int tokenType, KerbyContext context) throws GSSException {
+ initialize(tokenType, context, false);
+ createTokenHeader();
+ }
+
+ // Reconstruct a token
+ KerbyGssTokenV1(int tokenType, KerbyContext context, MessageProp prop,
+ byte[] token, int offset, int size) throws GSSException {
+ int proxLen = size > 64 ? 64 : size;
+ InputStream is = new ByteArrayInputStream(token, offset, proxLen);
+ reconstructInitializaion(tokenType, context, prop, is);
+ reconHeaderLen = gssHeader.getLength() + getTokenHeaderSize();
+ }
+
+ // Reconstruct a token
+ KerbyGssTokenV1(int tokenType, KerbyContext context, MessageProp prop, InputStream is) throws GSSException {
+ reconstructInitializaion(tokenType, context, prop, is);
+ }
+
+ private void reconstructInitializaion(int tokenType, KerbyContext context, MessageProp prop, InputStream is)
+ throws GSSException {
+ initialize(tokenType, context, true);
+ if (!confState) {
+ prop.setPrivacy(false);
+ }
+
+ try {
+ gssHeader = new GSSHeader(is);
+ } catch (IOException e) {
+ throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid token:" + e.getMessage());
+ }
+
+ if (!gssHeader.getOid().equals((Object) objId)) {
+ throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid token OID");
+ }
+
+ reconstructTokenHeader(is, prop);
+ }
+
+ private void initialize(int tokenType,
+ KerbyContext context,
+ boolean reconstruct) throws GSSException {
+ this.tokenType = tokenType;
+ this.isInitiator = context.isInitiator();
+ this.confState = context.getConfState();
+ this.encryptor = context.getGssEncryptor();
+ this.checkSumSize = encryptor.getCheckSumSize();
+ if (!reconstruct) {
+ this.sequenceNumber = context.incMySequenceNumber();
+ } else {
+ checkSum = new byte[checkSumSize];
+ }
+ }
+
+ protected void calcPrivacyInfo(MessageProp prop, byte[] confounder, byte[] data,
+ int dataOffset, int dataLength, int paddingLen) throws GSSException {
+ prop.setQOP(0);
+ if (!confState) {
+ prop.setPrivacy(false);
+ }
+
+ checkSum = calcCheckSum(confounder, commHeader, data, dataOffset, dataLength, paddingLen);
+ encryptSequenceNumber();
+ }
+
+ protected void verifyToken(byte[] confounder, byte[] data, int dataOffset, int dataLength, int paddingLen)
+ throws GSSException {
+ byte[] sum = calcCheckSum(confounder, commHeader, data, dataOffset, dataLength, paddingLen);
+ if (!MessageDigest.isEqual(checkSum, sum)) {
+ throw new GSSException(GSSException.BAD_MIC, -1,
+ "Corrupt token checksum for " + (tokenType == TOKEN_MIC_V1 ? "Mic" : "Wrap") + "TokenV1");
+ }
+ }
+
+ private byte[] calcCheckSum(byte[] confounder, byte[] header, byte[] data,
+ int dataOffset, int dataLength, int paddingLen) throws GSSException {
+ return encryptor.calculateCheckSum(confounder, header, data, dataOffset, dataLength, paddingLen,
+ tokenType == TOKEN_MIC_V1);
+ }
+
+ private void encryptSequenceNumber() throws GSSException {
+ plainSequenceBytes = new byte[8];
+ if (encryptor.isArcFourHmac()) {
+ writeBigEndian(plainSequenceBytes, 0, sequenceNumber);
+ } else {
+ plainSequenceBytes[0] = (byte) sequenceNumber;
+ plainSequenceBytes[1] = (byte) (sequenceNumber >>> 8);
+ plainSequenceBytes[2] = (byte) (sequenceNumber >>> 16);
+ plainSequenceBytes[3] = (byte) (sequenceNumber >>> 24);
+ }
+
+ // Hex 0 - sender is the context initiator, Hex FF - sender is the context acceptor
+ if (!isInitiator) {
+ plainSequenceBytes[4] = (byte) 0xFF;
+ plainSequenceBytes[5] = (byte) 0xFF;
+ plainSequenceBytes[6] = (byte) 0xFF;
+ plainSequenceBytes[7] = (byte) 0xFF;
+ }
+
+ encryptedSequenceNumber = encryptor.encryptSequenceNumber(plainSequenceBytes, checkSum, true);
+ }
+
+ public void encodeHeader(OutputStream os) throws GSSException, IOException {
+ // | GSSHeader | TokenHeader |
+ GSSHeader gssHeader = new GSSHeader(objId, getTokenSizeWithoutGssHeader());
+ gssHeader.encode(os);
+ os.write(commHeader);
+ os.write(encryptedSequenceNumber);
+ os.write(checkSum);
+ }
+
+ private void createTokenHeader() {
+ commHeader[0] = (byte) (tokenType >>> 8);
+ commHeader[1] = (byte) tokenType;
+
+ sgnAlg = encryptor.getSgnAlg();
+ commHeader[2] = (byte) (sgnAlg >>> 8);
+ commHeader[3] = (byte) sgnAlg;
+
+ if (tokenType == TOKEN_WRAP_V1) {
+ sealAlg = encryptor.getSealAlg();
+ commHeader[4] = (byte) (sealAlg >>> 8);
+ commHeader[5] = (byte) sealAlg;
+ } else {
+ commHeader[4] = (byte) 0xFF;
+ commHeader[5] = (byte) 0xFF;
+ }
+
+ commHeader[6] = (byte) 0xFF;
+ commHeader[7] = (byte) 0xFF;
+ }
+
+ // Re-construct token commHeader
+ private void reconstructTokenHeader(InputStream is, MessageProp prop) throws GSSException {
+ try {
+ if (is.read(commHeader) != commHeader.length
+ || is.read(encryptedSequenceNumber) != encryptedSequenceNumber.length
+ || is.read(checkSum) != checkSum.length) {
+ throw new GSSException(GSSException.FAILURE, -1,
+ "Insufficient in reconstruct token header");
+ }
+ initTokenHeader(commHeader, prop);
+
+ plainSequenceBytes = encryptor.encryptSequenceNumber(encryptedSequenceNumber, checkSum, false);
+ byte dirc = isInitiator ? (byte) 0xFF : 0;
+ // Hex 0 - sender is the context initiator, Hex FF - sender is the context acceptor
+ if (!(plainSequenceBytes[4] == dirc && plainSequenceBytes[5] == dirc
+ && plainSequenceBytes[6] == dirc && plainSequenceBytes[7] == dirc)) {
+ throw new GSSException(GSSException.BAD_MIC, -1,
+ "Corrupt token sequence for " + (tokenType == TOKEN_MIC_V1 ? "Mic" : "Wrap") + "TokenV1");
+ }
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1,
+ "Error in reconstruct token header:" + e.getMessage());
+ }
+ }
+
+ private void initTokenHeader(byte[] tokenBytes, MessageProp prop) throws GSSException {
+ int tokenIDRecv = (((int) tokenBytes[0]) << 8) + tokenBytes[1];
+ if (tokenType != tokenIDRecv) {
+ throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1,
+ "Token ID should be " + tokenType + " instead of " + tokenIDRecv);
+ }
+
+ sgnAlg = (((int) tokenBytes[2]) << 8) + tokenBytes[3];
+ sealAlg = (((int) tokenBytes[4]) << 8) + tokenBytes[5];
+
+ if (tokenBytes[6] != (byte) 0xFF || tokenBytes[7] != (byte) 0xFF) {
+ throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid token head filler");
+ }
+
+ prop.setQOP(0);
+ prop.setPrivacy(sealAlg != SEAL_ALG_NONE);
+ }
+
+ protected GSSHeader getGssHeader() {
+ return gssHeader;
+ }
+
+ abstract int getTokenSizeWithoutGssHeader();
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/81eba4da/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/MicTokenV1.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/MicTokenV1.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/MicTokenV1.java
new file mode 100644
index 0000000..6a76e4c
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/MicTokenV1.java
@@ -0,0 +1,92 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gssapi.krb5;
+
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.MessageProp;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+
+public class MicTokenV1 extends KerbyGssTokenV1 {
+ public MicTokenV1(KerbyContext context,
+ byte[] inMsg,
+ int msgOffset,
+ int msgLength,
+ MessageProp messageProp) throws GSSException {
+ super(TOKEN_MIC_V1, context);
+ calcPrivacyInfo(messageProp, null, inMsg, msgOffset, msgLength, 0);
+ }
+
+ // This is called to construct MicToken from MicToken bytes
+ MicTokenV1(KerbyContext context,
+ MessageProp messageProp,
+ byte[] inToken,
+ int tokenOffset,
+ int tokenLength) throws GSSException {
+ super(TOKEN_MIC_V1, context, messageProp, inToken, tokenOffset, tokenLength);
+ }
+
+ public int getMic(byte[] outToken, int offset) throws GSSException, IOException {
+ byte[] data = getMic();
+ System.arraycopy(data, 0, outToken, offset, data.length);
+ return data.length;
+ }
+
+ /**
+ * Get bytes for this Mic token
+ * @return
+ */
+ public byte[] getMic() throws GSSException {
+ ByteArrayOutputStream os = new ByteArrayOutputStream(64);
+ getMic(os);
+ return os.toByteArray();
+ }
+
+ public void getMic(OutputStream os) throws GSSException {
+ try {
+ encodeHeader(os);
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Error in output MicTokenV1 bytes:" + e.getMessage());
+ }
+ }
+
+ public void verify(InputStream is) throws GSSException {
+ byte[] data;
+ try {
+ data = new byte[is.available()];
+ is.read(data);
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1,
+ "Read plain data for MicTokenV1 error:" + e.getMessage());
+ }
+ verify(data, 0, data.length);
+ }
+
+ public void verify(byte[] data, int offset, int len) throws GSSException {
+ verifyToken(null, data, offset, len, 0);
+ }
+
+ protected int getTokenSizeWithoutGssHeader() {
+ return getTokenHeaderSize();
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/81eba4da/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/WrapTokenV1.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/WrapTokenV1.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/WrapTokenV1.java
new file mode 100644
index 0000000..8ecdae4
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/WrapTokenV1.java
@@ -0,0 +1,196 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gssapi.krb5;
+
+import org.apache.kerby.kerberos.kerb.crypto.util.Random;
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.MessageProp;
+import sun.security.jgss.GSSHeader;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+
+public class WrapTokenV1 extends KerbyGssTokenV1 {
+ public static final int CONFOUNDER_SIZE = 8;
+
+ private boolean privacy;
+
+ private byte[] inData;
+ private int inOffset;
+ private int inLen;
+
+ private int paddingLen;
+ private byte[] confounder;
+ private int tokenBodyLen;
+
+ private byte[] bodyData;
+ private int bodyOffset;
+ private int bodyLen;
+
+ // for reconstruct
+ private int rawDataLength;
+ private byte[] rawData;
+ private int rawDataOffset;
+
+
+ // Generate wrap token according user data
+ public WrapTokenV1(KerbyContext context,
+ byte[] inMsg,
+ int msgOffset,
+ int msgLength,
+ MessageProp prop) throws GSSException {
+ super(TOKEN_WRAP_V1, context);
+
+ paddingLen = getPaddingLength(msgLength);
+ confounder = Random.makeBytes(CONFOUNDER_SIZE);
+ tokenBodyLen = CONFOUNDER_SIZE + msgLength + paddingLen;
+
+ calcPrivacyInfo(prop, confounder, inMsg, msgOffset, msgLength, paddingLen);
+
+ if (!context.getConfState()) {
+ prop.setPrivacy(false);
+ }
+ privacy = prop.getPrivacy();
+ inData = inMsg;
+ inOffset = msgOffset;
+ inLen = msgLength;
+ }
+
+ // Reconstruct a token from token bytes
+ public WrapTokenV1(KerbyContext context, MessageProp prop,
+ byte[] token, int offset, int len) throws GSSException {
+ super(TOKEN_WRAP_V1, context, prop, token, offset, len);
+ // adjust the offset to the beginning of the body
+ bodyData = token;
+ bodyOffset = offset + reconHeaderLen;
+ bodyLen = len - reconHeaderLen;
+ getRawData(prop);
+ }
+
+ // Reconstruct a token from token bytes stream
+ public WrapTokenV1(KerbyContext context, MessageProp prop, InputStream is) throws GSSException {
+ super(TOKEN_WRAP_V1, context, prop, is);
+ byte[] token;
+ int len;
+ try {
+ len = is.available();
+ token = new byte[len];
+ is.read(token);
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Read wrap token V1 error:" + e.getMessage());
+ }
+ bodyData = token;
+ bodyOffset = 0;
+ bodyLen = len;
+ getRawData(prop);
+ }
+
+ private void getRawData(MessageProp prop) throws GSSException {
+ privacy = prop.getPrivacy();
+ tokenBodyLen = getGssHeader().getMechTokenLength() - getTokenHeaderSize();
+
+ if (bodyLen < tokenBodyLen) {
+ throw new GSSException(GSSException.FAILURE, -1, "Insufficient data for Wrap token V1");
+ }
+
+ if (privacy) {
+ rawData = encryptor.encryptTokenV1(null, bodyData, bodyOffset, tokenBodyLen, 0,
+ encryptor.isArcFourHmac() ? getPlainSequenceBytes() : null, false);
+ paddingLen = rawData[rawData.length - 1];
+ rawDataOffset = CONFOUNDER_SIZE;
+ } else {
+ rawData = bodyData;
+ paddingLen = bodyData[bodyOffset + tokenBodyLen - 1];
+ rawDataOffset = bodyOffset + CONFOUNDER_SIZE;
+ }
+ rawDataLength = tokenBodyLen - CONFOUNDER_SIZE - paddingLen;
+
+ verifyToken(null, rawData, rawDataOffset - CONFOUNDER_SIZE, tokenBodyLen, 0);
+ }
+
+ // Get plain text data from token data bytes
+ public byte[] unwrap() throws GSSException {
+ byte[] ret = new byte[rawDataLength];
+ System.arraycopy(rawData, rawDataOffset, ret, 0, rawDataLength);
+ return ret;
+ }
+
+ public void unwrap(OutputStream os) throws GSSException {
+ try {
+ os.write(rawData, rawDataOffset, rawDataLength);
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1,
+ "Error in output wrap token v1 data bytes:" + e.getMessage());
+ }
+ }
+
+ public byte[] wrap() throws GSSException {
+ ByteArrayOutputStream os = new ByteArrayOutputStream(getTokenSizeWithoutGssHeader() + inLen + 64);
+ wrap(os);
+ return os.toByteArray();
+ }
+
+ public void wrap(OutputStream os) throws GSSException {
+ try {
+ encodeHeader(os);
+ if (privacy) {
+ byte[] enc = encryptor.encryptTokenV1(confounder, inData, inOffset, inLen, paddingLen,
+ encryptor.isArcFourHmac() ? getPlainSequenceBytes() : null, true);
+ os.write(enc);
+ } else {
+ os.write(confounder);
+ os.write(inData, inOffset, inLen);
+ os.write(getPaddingBytes(paddingLen));
+ }
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Error in output wrap token v1 bytes:" + e.getMessage());
+ }
+ }
+
+ protected int getTokenSizeWithoutGssHeader() {
+ return tokenBodyLen + getTokenHeaderSize();
+ }
+
+ private int getPaddingLength(int dataLen) {
+ if (encryptor.isArcFourHmac()) {
+ return 1;
+ }
+ return 8 - (dataLen % 8);
+ }
+
+ private byte[] getPaddingBytes(int len) {
+ byte[] ret = new byte[len];
+ int i = 0;
+ while (i < len) {
+ ret[i++] = (byte) len;
+ }
+ return ret;
+ }
+
+ public static int getMsgSizeLimit(int qop, boolean confReq, int maxTokSize, KerbyGssEncryptor encryptor)
+ throws GSSException {
+ return GSSHeader.getMaxMechTokenSize(objId, maxTokSize)
+ - encryptor.getCheckSumSize()
+ - TOKEN_HEADER_COMM_SIZE - TOKEN_HEADER_SEQ_SIZE
+ - CONFOUNDER_SIZE - 8;
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/81eba4da/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/WrapTokenV2.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/WrapTokenV2.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/WrapTokenV2.java
index 3a128a9..57f9e45 100644
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/WrapTokenV2.java
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/WrapTokenV2.java
@@ -147,7 +147,12 @@ public class WrapTokenV2 extends KerbyGssTokenV2 {
}
}
- static int getSizeLimit(int qop, boolean confReq, int maxTokSize) {
- return maxTokSize; // TODO: to be implemented
+ public static int getMsgSizeLimit(int qop, boolean confReq, int maxTokSize, KerbyGssEncryptor encryptor)
+ throws GSSException {
+ if (confReq) {
+ return maxTokSize - encryptor.getCheckSumSize() - TOKEN_HEADER_SIZE * 2 - CONFOUNDER_SIZE;
+ } else {
+ return maxTokSize - encryptor.getCheckSumSize() - TOKEN_HEADER_SIZE;
+ }
}
}
[21/50] [abbrv] directory-kerby git commit: DIRKRB-571 Add encryptRaw
interface for GssToken encryption. Contributed by Wei.
Posted by co...@apache.org.
DIRKRB-571 Add encryptRaw interface for GssToken encryption. Contributed by Wei.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/223e4572
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/223e4572
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/223e4572
Branch: refs/heads/gssapi
Commit: 223e4572582f4b51aa3c21543f4b4469d4f71521
Parents: 81eba4d
Author: plusplusjiajia <ji...@intel.com>
Authored: Mon May 16 15:34:37 2016 +0800
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 12:25:02 2017 +0100
----------------------------------------------------------------------
.../kerberos/kerb/crypto/EncTypeHandler.java | 12 +++
.../kerb/crypto/enc/AbstractEncTypeHandler.java | 40 +++++++++-
.../kerberos/kerb/crypto/enc/DesCbcEnc.java | 25 ++++++-
.../kerby/kerberos/kerb/crypto/enc/KeKiEnc.java | 77 +++++++++++---------
.../kerberos/kerb/crypto/enc/Rc4HmacEnc.java | 13 +++-
5 files changed, 125 insertions(+), 42 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/223e4572/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/EncTypeHandler.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/EncTypeHandler.java b/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/EncTypeHandler.java
index 09bad5d..ac40935 100644
--- a/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/EncTypeHandler.java
+++ b/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/EncTypeHandler.java
@@ -54,9 +54,21 @@ public interface EncTypeHandler extends CryptoTypeHandler {
byte[] encrypt(byte[] data, byte[] key, byte[] ivec,
int usage) throws KrbException;
+ byte[] encryptRaw(byte[] data, byte[] key, int usage)
+ throws KrbException;
+
+ byte[] encryptRaw(byte[] data, byte[] key, byte[] ivec,
+ int usage) throws KrbException;
+
byte[] decrypt(byte[] cipher, byte[] key, int usage)
throws KrbException;
byte[] decrypt(byte[] cipher, byte[] key, byte[] ivec,
int usage) throws KrbException;
+
+ byte[] decryptRaw(byte[] data, byte[] key, int usage)
+ throws KrbException;
+
+ byte[] decryptRaw(byte[] cipher, byte[] key, byte[] ivec,
+ int usage) throws KrbException;
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/223e4572/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/enc/AbstractEncTypeHandler.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/enc/AbstractEncTypeHandler.java b/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/enc/AbstractEncTypeHandler.java
index 28303c0..3d8c432 100644
--- a/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/enc/AbstractEncTypeHandler.java
+++ b/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/enc/AbstractEncTypeHandler.java
@@ -123,12 +123,29 @@ public abstract class AbstractEncTypeHandler
int[] workLens = new int[] {confounderLen, checksumLen,
inputLen, paddingLen};
- encryptWith(workBuffer, workLens, key, iv, usage);
+ encryptWith(workBuffer, workLens, key, iv, usage, false);
+ return workBuffer;
+ }
+
+ @Override
+ public byte[] encryptRaw(byte[] data, byte[] key, int usage) throws KrbException {
+ byte[] iv = new byte[encProvider().blockSize()];
+ return encryptRaw(data, key, iv, usage);
+ }
+
+ @Override
+ public byte[] encryptRaw(byte[] data, byte[] key, byte[] iv, int usage) throws KrbException {
+ int checksumLen = checksumSize();
+ int[] workLens = new int[] {0, checksumLen, data.length, 0};
+ byte[] workBuffer = new byte[data.length];
+ System.arraycopy(data, 0, workBuffer, 0, data.length);
+
+ encryptWith(workBuffer, workLens, key, iv, usage, true);
return workBuffer;
}
protected void encryptWith(byte[] workBuffer, int[] workLens,
- byte[] key, byte[] iv, int usage) throws KrbException {
+ byte[] key, byte[] iv, int usage, boolean raw) throws KrbException {
}
@@ -147,11 +164,26 @@ public abstract class AbstractEncTypeHandler
int dataLen = totalLen - (confounderLen + checksumLen);
int[] workLens = new int[] {confounderLen, checksumLen, dataLen};
- return decryptWith(cipher, workLens, key, iv, usage);
+ return decryptWith(cipher, workLens, key, iv, usage, false);
+ }
+
+ @Override
+ public byte[] decryptRaw(byte[] cipher, byte[] key, int usage)
+ throws KrbException {
+ byte[] iv = new byte[encProvider().blockSize()];
+ return decryptRaw(cipher, key, iv, usage);
+ }
+
+ @Override
+ public byte[] decryptRaw(byte[] cipher, byte[] key, byte[] iv, int usage)
+ throws KrbException {
+ int checksumLen = checksumSize();
+ int[] workLens = new int[] {0, checksumLen, cipher.length};
+ return decryptWith(cipher, workLens, key, iv, usage, true);
}
protected byte[] decryptWith(byte[] workBuffer, int[] workLens,
- byte[] key, byte[] iv, int usage) throws KrbException {
+ byte[] key, byte[] iv, int usage, boolean raw) throws KrbException {
return null;
}
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/223e4572/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/enc/DesCbcEnc.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/enc/DesCbcEnc.java b/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/enc/DesCbcEnc.java
index 6834d0b..f57c498 100644
--- a/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/enc/DesCbcEnc.java
+++ b/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/enc/DesCbcEnc.java
@@ -58,7 +58,16 @@ abstract class DesCbcEnc extends AbstractEncTypeHandler {
@Override
protected void encryptWith(byte[] workBuffer, int[] workLens,
- byte[] key, byte[] iv, int usage) throws KrbException {
+ byte[] key, byte[] iv, int usage, boolean raw) throws KrbException {
+ if (!raw) {
+ doEncryptWith(workBuffer, workLens, key, iv);
+ } else {
+ encProvider().encrypt(key, iv, workBuffer);
+ }
+ }
+
+ private void doEncryptWith(byte[] workBuffer, int[] workLens,
+ byte[] key, byte[] iv) throws KrbException {
int confounderLen = workLens[0];
int checksumLen = workLens[1];
int dataLen = workLens[2];
@@ -83,7 +92,19 @@ abstract class DesCbcEnc extends AbstractEncTypeHandler {
@Override
protected byte[] decryptWith(byte[] workBuffer, int[] workLens,
- byte[] key, byte[] iv, int usage) throws KrbException {
+ byte[] key, byte[] iv, int usage, boolean raw) throws KrbException {
+ if (!raw) {
+ return doDecryptWith(workBuffer, workLens, key, iv);
+ } else {
+ encProvider().decrypt(key, iv, workBuffer);
+ byte[] data = new byte[workBuffer.length];
+ System.arraycopy(workBuffer, 0, data, 0, data.length);
+ return data;
+ }
+ }
+
+ private byte[] doDecryptWith(byte[] workBuffer, int[] workLens,
+ byte[] key, byte[] iv) throws KrbException {
int confounderLen = workLens[0];
int checksumLen = workLens[1];
int dataLen = workLens[2];
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/223e4572/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/enc/KeKiEnc.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/enc/KeKiEnc.java b/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/enc/KeKiEnc.java
index 23e7a6c..6e98d2a 100644
--- a/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/enc/KeKiEnc.java
+++ b/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/enc/KeKiEnc.java
@@ -52,7 +52,7 @@ public abstract class KeKiEnc extends AbstractEncTypeHandler {
@Override
protected void encryptWith(byte[] workBuffer, int[] workLens,
- byte[] key, byte[] iv, int usage) throws KrbException {
+ byte[] key, byte[] iv, int usage, boolean raw) throws KrbException {
int confounderLen = workLens[0];
int checksumLen = workLens[1];
int inputLen = workLens[2];
@@ -75,31 +75,35 @@ public abstract class KeKiEnc extends AbstractEncTypeHandler {
* so need to adjust the workBuffer arrangement
*/
- byte[] tmpEnc = new byte[confounderLen + inputLen + paddingLen];
- // confounder
- byte[] confounder = Confounder.makeBytes(confounderLen);
- System.arraycopy(confounder, 0, tmpEnc, 0, confounderLen);
-
- // data
- System.arraycopy(workBuffer, confounderLen + checksumLen,
- tmpEnc, confounderLen, inputLen);
-
- // padding
- for (int i = confounderLen + inputLen; i < paddingLen; ++i) {
- tmpEnc[i] = 0;
+ if (!raw) {
+ byte[] tmpEnc = new byte[confounderLen + inputLen + paddingLen];
+ // confounder
+ byte[] confounder = Confounder.makeBytes(confounderLen);
+ System.arraycopy(confounder, 0, tmpEnc, 0, confounderLen);
+
+ // data
+ System.arraycopy(workBuffer, confounderLen + checksumLen,
+ tmpEnc, confounderLen, inputLen);
+
+ // padding
+ for (int i = confounderLen + inputLen; i < paddingLen; ++i) {
+ tmpEnc[i] = 0;
+ }
+
+ // checksum & encrypt
+ byte[] checksum = makeChecksum(ki, tmpEnc, checksumLen);
+ encProvider().encrypt(ke, iv, tmpEnc);
+
+ System.arraycopy(tmpEnc, 0, workBuffer, 0, tmpEnc.length);
+ System.arraycopy(checksum, 0, workBuffer, tmpEnc.length, checksum.length);
+ } else {
+ encProvider().encrypt(ke, iv, workBuffer);
}
-
- // checksum & encrypt
- byte[] checksum = makeChecksum(ki, tmpEnc, checksumLen);
- encProvider().encrypt(ke, iv, tmpEnc);
-
- System.arraycopy(tmpEnc, 0, workBuffer, 0, tmpEnc.length);
- System.arraycopy(checksum, 0, workBuffer, tmpEnc.length, checksum.length);
}
@Override
protected byte[] decryptWith(byte[] workBuffer, int[] workLens,
- byte[] key, byte[] iv, int usage) throws KrbException {
+ byte[] key, byte[] iv, int usage, boolean raw) throws KrbException {
int confounderLen = workLens[0];
int checksumLen = workLens[1];
int dataLen = workLens[2];
@@ -116,20 +120,25 @@ public abstract class KeKiEnc extends AbstractEncTypeHandler {
byte[] tmpEnc = new byte[confounderLen + dataLen];
System.arraycopy(workBuffer, 0,
tmpEnc, 0, confounderLen + dataLen);
- byte[] checksum = new byte[checksumLen];
- System.arraycopy(workBuffer, confounderLen + dataLen,
- checksum, 0, checksumLen);
-
- encProvider().decrypt(ke, iv, tmpEnc);
- byte[] newChecksum = makeChecksum(ki, tmpEnc, checksumLen);
-
- if (!checksumEqual(checksum, newChecksum)) {
- throw new KrbException(KrbErrorCode.KRB_AP_ERR_BAD_INTEGRITY);
+ if (!raw) {
+ byte[] checksum = new byte[checksumLen];
+ System.arraycopy(workBuffer, confounderLen + dataLen,
+ checksum, 0, checksumLen);
+
+ encProvider().decrypt(ke, iv, tmpEnc);
+ byte[] newChecksum = makeChecksum(ki, tmpEnc, checksumLen);
+
+ if (!checksumEqual(checksum, newChecksum)) {
+ throw new KrbException(KrbErrorCode.KRB_AP_ERR_BAD_INTEGRITY);
+ }
+
+ byte[] data = new byte[dataLen];
+ System.arraycopy(tmpEnc, confounderLen, data, 0, dataLen);
+ return data;
+ } else {
+ encProvider().decrypt(ke, iv, tmpEnc);
+ return tmpEnc;
}
-
- byte[] data = new byte[dataLen];
- System.arraycopy(tmpEnc, confounderLen, data, 0, dataLen);
- return data;
}
protected abstract byte[] makeChecksum(byte[] key, byte[] data, int hashSize)
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/223e4572/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/enc/Rc4HmacEnc.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/enc/Rc4HmacEnc.java b/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/enc/Rc4HmacEnc.java
index 2f4aa59..f9a2f49 100644
--- a/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/enc/Rc4HmacEnc.java
+++ b/kerby-kerb/kerb-crypto/src/main/java/org/apache/kerby/kerberos/kerb/crypto/enc/Rc4HmacEnc.java
@@ -80,8 +80,13 @@ public class Rc4HmacEnc extends AbstractEncTypeHandler {
return CheckSumType.HMAC_MD5_ARCFOUR;
}
+ @Override
protected void encryptWith(byte[] workBuffer, int[] workLens,
- byte[] key, byte[] iv, int usage) throws KrbException {
+ byte[] key, byte[] iv, int usage, boolean raw) throws KrbException {
+ if (raw) {
+ throw new KrbException(KrbErrorCode.KDC_ERR_ETYPE_NOSUPP,
+ "Raw mode not supported for this encryption type");
+ }
int confounderLen = workLens[0];
int checksumLen = workLens[1];
int dataLen = workLens[2];
@@ -133,7 +138,11 @@ public class Rc4HmacEnc extends AbstractEncTypeHandler {
@Override
protected byte[] decryptWith(byte[] workBuffer, int[] workLens,
- byte[] key, byte[] iv, int usage) throws KrbException {
+ byte[] key, byte[] iv, int usage, boolean raw) throws KrbException {
+ if (raw) {
+ throw new KrbException(KrbErrorCode.KDC_ERR_ETYPE_NOSUPP,
+ "Raw mode not supported for this encryption type");
+ }
int confounderLen = workLens[0];
int checksumLen = workLens[1];
int dataLen = workLens[2];
[30/50] [abbrv] directory-kerby git commit: Refactoring the package
and structure
Posted by co...@apache.org.
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8432c1a8/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssTokenV1.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssTokenV1.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssTokenV1.java
new file mode 100644
index 0000000..1f063c3
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssTokenV1.java
@@ -0,0 +1,319 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gss.impl;
+
+
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.MessageProp;
+import sun.security.jgss.GSSHeader;
+import sun.security.util.ObjectIdentifier;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.security.MessageDigest;
+
+/**
+ * This class implements the token formats defined in RFC 1964 and its updates
+ *
+ * The GSS Wrap token has the following format:
+ *
+ * Byte no Name Description
+ * 0..1 TOK_ID 0201
+ *
+ * 2..3 SGN_ALG Checksum algorithm indicator.
+ * 00 00 DES MAC MD5
+ * 01 00 MD2.5
+ * 02 00 DES MAC
+ * 04 00 HMAC SHA1 DES3-KD
+ * 11 00 RC4-HMAC used by Microsoft Windows, RFC 4757
+ * 4..5 SEAL_ALG ff ff none
+ * 00 00 DES
+ * 02 00 DES3-KD
+ * 10 00 RC4-HMAC
+ * 6..7 Filler FF FF
+ * 8..15 SND_SEQ Encrypted sequence number field.
+ * 16..23 SNG_CKSUM Checksum of plaintext padded data,
+ * calculated according to algorithm
+ * specified in SGN_ALG field.
+ * 24.. Data Encrypted or plaintext padded data
+ *
+ *
+ *
+ * Use of the GSS MIC token has the following format:
+
+ * Byte no Name Description
+ * 0..1 TOK_ID 0101
+ * 2..3 SGN_ALG Integrity algorithm indicator.
+ * 4..7 Filler Contains ff ff ff ff
+ * 8..15 SND_SEQ Sequence number field.
+ * 16..23 SGN_CKSUM Checksum of "to-be-signed data",
+ * calculated according to algorithm
+ * specified in SGN_ALG field.
+ *
+ */
+abstract class GssTokenV1 extends GssTokenBase {
+ // SGN ALG
+ public static final int SGN_ALG_DES_MAC_MD5 = 0;
+ public static final int SGN_ALG_MD25 = 0x0100;
+ public static final int SGN_ALG_DES_MAC = 0x0200;
+ public static final int SGN_ALG_HMAC_SHA1_DES3_KD = 0x0400;
+ public static final int SGN_ALG_RC4_HMAC = 0x1100;
+
+ // SEAL ALG
+ public static final int SEAL_ALG_NONE = 0xFFFF;
+ public static final int SEAL_ALG_DES = 0x0; // "DES/CBC/NoPadding"
+ public static final int SEAL_ALG_DES3_KD = 0x0200;
+ public static final int SEAL_ALG_RC4_HMAC = 0x1000;
+
+ public static final int KG_USAGE_SEAL = 22;
+ public static final int KG_USAGE_SIGN = 23;
+ public static final int KG_USAGE_SEQ = 24;
+ public static final int KG_USAGE_MS_SIGN = 15;
+
+ private boolean isInitiator;
+ private boolean confState;
+ private int sequenceNumber;
+
+ protected GssEncryptor encryptor;
+
+ private GSSHeader gssHeader;
+
+ public static final int TOKEN_HEADER_COMM_SIZE = 8;
+ public static final int TOKEN_HEADER_SEQ_SIZE = 8;
+
+ // Token commHeader data
+ private int tokenType;
+ private byte[] commHeader = new byte[TOKEN_HEADER_COMM_SIZE];
+ private int sgnAlg;
+ private int sealAlg;
+
+ private byte[] plainSequenceBytes;
+ private byte[] encryptedSequenceNumber = new byte[TOKEN_HEADER_SEQ_SIZE];
+ private byte[] checkSum;
+ private int checkSumSize;
+
+ protected int reconHeaderLen; // only used for certain reason
+
+ public static ObjectIdentifier objId;
+
+ static {
+ try {
+ objId = new ObjectIdentifier("1.2.840.113554.1.2.2");
+ } catch (IOException ioe) { // NOPMD
+ }
+ }
+
+ protected int getTokenHeaderSize() {
+ return TOKEN_HEADER_COMM_SIZE + TOKEN_HEADER_SEQ_SIZE + checkSumSize;
+ }
+
+ protected byte[] getPlainSequenceBytes() {
+ byte[] ret = new byte[4];
+ ret[0] = plainSequenceBytes[0];
+ ret[1] = plainSequenceBytes[1];
+ ret[2] = plainSequenceBytes[2];
+ ret[3] = plainSequenceBytes[3];
+ return ret;
+ }
+
+ // Generate a new token
+ GssTokenV1(int tokenType, GssContext context) throws GSSException {
+ initialize(tokenType, context, false);
+ createTokenHeader();
+ }
+
+ // Reconstruct a token
+ GssTokenV1(int tokenType, GssContext context, MessageProp prop,
+ byte[] token, int offset, int size) throws GSSException {
+ int proxLen = size > 64 ? 64 : size;
+ InputStream is = new ByteArrayInputStream(token, offset, proxLen);
+ reconstructInitializaion(tokenType, context, prop, is);
+ reconHeaderLen = gssHeader.getLength() + getTokenHeaderSize();
+ }
+
+ // Reconstruct a token
+ GssTokenV1(int tokenType, GssContext context, MessageProp prop, InputStream is) throws GSSException {
+ reconstructInitializaion(tokenType, context, prop, is);
+ }
+
+ private void reconstructInitializaion(int tokenType, GssContext context, MessageProp prop, InputStream is)
+ throws GSSException {
+ initialize(tokenType, context, true);
+ if (!confState) {
+ prop.setPrivacy(false);
+ }
+
+ try {
+ gssHeader = new GSSHeader(is);
+ } catch (IOException e) {
+ throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid token:" + e.getMessage());
+ }
+
+ if (!gssHeader.getOid().equals((Object) objId)) {
+ throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid token OID");
+ }
+
+ reconstructTokenHeader(is, prop);
+ }
+
+ private void initialize(int tokenType,
+ GssContext context,
+ boolean reconstruct) throws GSSException {
+ this.tokenType = tokenType;
+ this.isInitiator = context.isInitiator();
+ this.confState = context.getConfState();
+ this.encryptor = context.getGssEncryptor();
+ this.checkSumSize = encryptor.getCheckSumSize();
+ if (!reconstruct) {
+ this.sequenceNumber = context.incMySequenceNumber();
+ } else {
+ checkSum = new byte[checkSumSize];
+ }
+ }
+
+ protected void calcPrivacyInfo(MessageProp prop, byte[] confounder, byte[] data,
+ int dataOffset, int dataLength, int paddingLen) throws GSSException {
+ prop.setQOP(0);
+ if (!confState) {
+ prop.setPrivacy(false);
+ }
+
+ checkSum = calcCheckSum(confounder, commHeader, data, dataOffset, dataLength, paddingLen);
+ encryptSequenceNumber();
+ }
+
+ protected void verifyToken(byte[] confounder, byte[] data, int dataOffset, int dataLength, int paddingLen)
+ throws GSSException {
+ byte[] sum = calcCheckSum(confounder, commHeader, data, dataOffset, dataLength, paddingLen);
+ if (!MessageDigest.isEqual(checkSum, sum)) {
+ throw new GSSException(GSSException.BAD_MIC, -1,
+ "Corrupt token checksum for " + (tokenType == TOKEN_MIC_V1 ? "Mic" : "Wrap") + "TokenV1");
+ }
+ }
+
+ private byte[] calcCheckSum(byte[] confounder, byte[] header, byte[] data,
+ int dataOffset, int dataLength, int paddingLen) throws GSSException {
+ return encryptor.calculateCheckSum(confounder, header, data, dataOffset, dataLength, paddingLen,
+ tokenType == TOKEN_MIC_V1);
+ }
+
+ private void encryptSequenceNumber() throws GSSException {
+ plainSequenceBytes = new byte[8];
+ if (encryptor.isArcFourHmac()) {
+ writeBigEndian(plainSequenceBytes, 0, sequenceNumber);
+ } else {
+ plainSequenceBytes[0] = (byte) sequenceNumber;
+ plainSequenceBytes[1] = (byte) (sequenceNumber >>> 8);
+ plainSequenceBytes[2] = (byte) (sequenceNumber >>> 16);
+ plainSequenceBytes[3] = (byte) (sequenceNumber >>> 24);
+ }
+
+ // Hex 0 - sender is the context initiator, Hex FF - sender is the context acceptor
+ if (!isInitiator) {
+ plainSequenceBytes[4] = (byte) 0xFF;
+ plainSequenceBytes[5] = (byte) 0xFF;
+ plainSequenceBytes[6] = (byte) 0xFF;
+ plainSequenceBytes[7] = (byte) 0xFF;
+ }
+
+ encryptedSequenceNumber = encryptor.encryptSequenceNumber(plainSequenceBytes, checkSum, true);
+ }
+
+ public void encodeHeader(OutputStream os) throws GSSException, IOException {
+ // | GSSHeader | TokenHeader |
+ GSSHeader gssHeader = new GSSHeader(objId, getTokenSizeWithoutGssHeader());
+ gssHeader.encode(os);
+ os.write(commHeader);
+ os.write(encryptedSequenceNumber);
+ os.write(checkSum);
+ }
+
+ private void createTokenHeader() {
+ commHeader[0] = (byte) (tokenType >>> 8);
+ commHeader[1] = (byte) tokenType;
+
+ sgnAlg = encryptor.getSgnAlg();
+ commHeader[2] = (byte) (sgnAlg >>> 8);
+ commHeader[3] = (byte) sgnAlg;
+
+ if (tokenType == TOKEN_WRAP_V1) {
+ sealAlg = encryptor.getSealAlg();
+ commHeader[4] = (byte) (sealAlg >>> 8);
+ commHeader[5] = (byte) sealAlg;
+ } else {
+ commHeader[4] = (byte) 0xFF;
+ commHeader[5] = (byte) 0xFF;
+ }
+
+ commHeader[6] = (byte) 0xFF;
+ commHeader[7] = (byte) 0xFF;
+ }
+
+ // Re-construct token commHeader
+ private void reconstructTokenHeader(InputStream is, MessageProp prop) throws GSSException {
+ try {
+ if (is.read(commHeader) != commHeader.length
+ || is.read(encryptedSequenceNumber) != encryptedSequenceNumber.length
+ || is.read(checkSum) != checkSum.length) {
+ throw new GSSException(GSSException.FAILURE, -1,
+ "Insufficient in reconstruct token header");
+ }
+ initTokenHeader(commHeader, prop);
+
+ plainSequenceBytes = encryptor.encryptSequenceNumber(encryptedSequenceNumber, checkSum, false);
+ byte dirc = isInitiator ? (byte) 0xFF : 0;
+ // Hex 0 - sender is the context initiator, Hex FF - sender is the context acceptor
+ if (!(plainSequenceBytes[4] == dirc && plainSequenceBytes[5] == dirc
+ && plainSequenceBytes[6] == dirc && plainSequenceBytes[7] == dirc)) {
+ throw new GSSException(GSSException.BAD_MIC, -1,
+ "Corrupt token sequence for " + (tokenType == TOKEN_MIC_V1 ? "Mic" : "Wrap") + "TokenV1");
+ }
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1,
+ "Error in reconstruct token header:" + e.getMessage());
+ }
+ }
+
+ private void initTokenHeader(byte[] tokenBytes, MessageProp prop) throws GSSException {
+ int tokenIDRecv = (((int) tokenBytes[0]) << 8) + tokenBytes[1];
+ if (tokenType != tokenIDRecv) {
+ throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1,
+ "Token ID should be " + tokenType + " instead of " + tokenIDRecv);
+ }
+
+ sgnAlg = (((int) tokenBytes[2]) << 8) + tokenBytes[3];
+ sealAlg = (((int) tokenBytes[4]) << 8) + tokenBytes[5];
+
+ if (tokenBytes[6] != (byte) 0xFF || tokenBytes[7] != (byte) 0xFF) {
+ throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid token head filler");
+ }
+
+ prop.setQOP(0);
+ prop.setPrivacy(sealAlg != SEAL_ALG_NONE);
+ }
+
+ protected GSSHeader getGssHeader() {
+ return gssHeader;
+ }
+
+ abstract int getTokenSizeWithoutGssHeader();
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8432c1a8/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssTokenV2.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssTokenV2.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssTokenV2.java
new file mode 100644
index 0000000..5220900
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssTokenV2.java
@@ -0,0 +1,282 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gss.impl;
+
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.MessageProp;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.security.MessageDigest;
+
+/**
+ * This class implements the token formats defined in RFC 4121.
+ */
+abstract class GssTokenV2 extends GssTokenBase {
+ public static final int CONFOUNDER_SIZE = 16;
+ public static final int TOKEN_HEADER_SIZE = 16;
+ private static final int OFFSET_EC = 4;
+ private static final int OFFSET_RRC = 6;
+
+ // context states
+ private boolean isInitiator = true;
+ private boolean acceptorSubKey = false;
+ private boolean confState = true;
+ private int sequenceNumber;
+
+ // token data
+ protected int tokenType;
+ private byte[] header = new byte[TOKEN_HEADER_SIZE];
+ protected byte[] tokenData;
+
+ protected byte[] checkSum;
+ private int ec;
+ private int rrc;
+
+ static final int KG_USAGE_ACCEPTOR_SEAL = 22;
+ static final int KG_USAGE_ACCEPTOR_SIGN = 23;
+ static final int KG_USAGE_INITIATOR_SEAL = 24;
+ static final int KG_USAGE_INITIATOR_SIGN = 25;
+ private int keyUsage;
+
+ private static final int FLAG_SENT_BY_ACCEPTOR = 1;
+ private static final int FLAG_SEALED = 2;
+ private static final int FLAG_ACCEPTOR_SUBKEY = 4;
+
+ protected GssEncryptor encryptor;
+
+
+ // Create a new token
+ GssTokenV2(int tokenType, GssContext context) throws GSSException {
+ initialize(tokenType, context, false);
+ }
+
+ private void initialize(int tokenType, GssContext context, boolean reconstruct) throws GSSException {
+ this.tokenType = tokenType;
+ this.isInitiator = context.isInitiator();
+ this.acceptorSubKey = context.getKeyComesFrom() == GssContext.ACCEPTOR_SUBKEY;
+ this.confState = context.getConfState();
+
+ boolean usageFlag = reconstruct ? !this.isInitiator : this.isInitiator;
+ if (tokenType == TOKEN_WRAP_V2) {
+ keyUsage = usageFlag ? KG_USAGE_INITIATOR_SEAL : KG_USAGE_ACCEPTOR_SEAL;
+ } else if (tokenType == TOKEN_MIC_V2) {
+ keyUsage = usageFlag ? KG_USAGE_INITIATOR_SIGN : KG_USAGE_ACCEPTOR_SIGN;
+ }
+
+ encryptor = context.getGssEncryptor();
+
+ if (!reconstruct) {
+ this.sequenceNumber = context.incMySequenceNumber();
+ }
+ }
+
+ // Reconstruct token from bytes received
+ GssTokenV2(int tokenType, GssContext context,
+ MessageProp prop, byte[] token, int offset, int len) throws GSSException {
+ this(tokenType, context, prop, new ByteArrayInputStream(token, offset, len));
+ }
+
+ // Reconstruct token from input stream
+ GssTokenV2(int tokenType, GssContext context,
+ MessageProp prop, InputStream is) throws GSSException {
+ initialize(tokenType, context, true);
+
+ if (!confState) {
+ prop.setPrivacy(false);
+ }
+
+ reconstructTokenHeader(prop, is);
+
+ int minSize;
+ if (tokenType == TOKEN_WRAP_V2 && prop.getPrivacy()) {
+ minSize = CONFOUNDER_SIZE + TOKEN_HEADER_SIZE + encryptor.getCheckSumSize();
+ } else {
+ minSize = encryptor.getCheckSumSize();
+ }
+
+ try {
+ int tokenLen = is.available();
+
+ if (tokenType == TOKEN_MIC_V2) {
+ tokenLen = minSize;
+ tokenData = new byte[tokenLen];
+ is.read(tokenData);
+ } else {
+ if (tokenLen >= minSize) {
+ tokenData = new byte[tokenLen];
+ is.read(tokenData);
+ } else {
+ throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid token length");
+ }
+ }
+
+ if (tokenType == TOKEN_WRAP_V2) {
+ tokenData = rotate(tokenData);
+ }
+
+ if (tokenType == TOKEN_MIC_V2
+ || tokenType == TOKEN_WRAP_V2 && !prop.getPrivacy()) {
+ int checksumLen = encryptor.getCheckSumSize();
+
+ if (tokenType != TOKEN_MIC_V2 && checksumLen != ec) {
+ throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid EC");
+ }
+
+ checkSum = new byte[checksumLen];
+ System.arraycopy(tokenData, tokenLen - checksumLen, checkSum, 0, checksumLen);
+ }
+ } catch (IOException e) {
+ throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid token");
+ }
+ }
+
+ private byte[] rotate(byte[] data) {
+ int dataLen = data.length;
+ if (rrc % dataLen != 0) {
+ rrc = rrc % dataLen;
+ byte[] newBytes = new byte[dataLen];
+
+ System.arraycopy(data, rrc, newBytes, 0, dataLen - rrc);
+ System.arraycopy(data, 0, newBytes, dataLen - rrc, rrc);
+ data = newBytes;
+ }
+ return data;
+ }
+
+ public int getKeyUsage() {
+ return keyUsage;
+ }
+
+ public void generateCheckSum(MessageProp prop, byte[] data, int offset, int len) throws GSSException {
+ // generate token header
+ createTokenHeader(prop.getPrivacy());
+
+ if (tokenType == TOKEN_MIC_V2
+ || !prop.getPrivacy() && tokenType == TOKEN_WRAP_V2) {
+ checkSum = getCheckSum(data, offset, len);
+ }
+
+ if (!prop.getPrivacy() && tokenType == TOKEN_WRAP_V2) {
+ header[4] = (byte) (checkSum.length >>> 8);
+ header[5] = (byte) (checkSum.length & 0xFF);
+ }
+ }
+
+ public byte[] getCheckSum(byte[] data, int offset, int len) throws GSSException {
+ int confidentialFlag = header[2] & 2;
+ if (confidentialFlag == 0 && tokenType == TOKEN_WRAP_V2) {
+ header[4] = 0;
+ header[5] = 0;
+ header[6] = 0;
+ header[7] = 0;
+ }
+ return encryptor.calculateCheckSum(header, data, offset, len, keyUsage);
+ }
+
+ public boolean verifyCheckSum(byte[] data, int offset, int len) throws GSSException {
+ byte[] dataCheckSum = getCheckSum(data, offset, len);
+ return MessageDigest.isEqual(checkSum, dataCheckSum);
+ }
+
+ // Create a new header
+ private void createTokenHeader(boolean privacy) {
+ header[0] = (byte) (tokenType >>> 8);
+ header[1] = (byte) tokenType;
+
+ int flags = isInitiator ? 0 : FLAG_SENT_BY_ACCEPTOR;
+ flags |= privacy && tokenType != TOKEN_MIC_V2 ? FLAG_SEALED : 0;
+ flags |= acceptorSubKey ? FLAG_ACCEPTOR_SUBKEY : 0;
+
+ header[2] = (byte) (flags & 0xFF);
+ header[3] = (byte) 0xFF;
+
+ if (tokenType == TOKEN_WRAP_V2) {
+ header[4] = (byte) 0;
+ header[5] = (byte) 0;
+ header[6] = (byte) 0;
+ header[7] = (byte) 0;
+ } else if (tokenType == TOKEN_MIC_V2) {
+ header[4] = (byte) 0xFF;
+ header[5] = (byte) 0xFF;
+ header[6] = (byte) 0xFF;
+ header[7] = (byte) 0xFF;
+ }
+ writeBigEndian(header, 12, sequenceNumber);
+ }
+
+ // Reconstruct a token header
+ private void reconstructTokenHeader(MessageProp prop, InputStream is) throws GSSException {
+ try {
+ if (is.read(header, 0, header.length) != header.length) {
+ throw new GSSException(GSSException.FAILURE, -1, "Token header can not be read");
+ }
+ int tokenIDRecv = (((int) header[0]) << 8) + header[1];
+ if (tokenIDRecv != tokenType) {
+ throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1,
+ "Token ID should be " + tokenType + " instead of " + tokenIDRecv);
+ }
+
+ int senderFlag = isInitiator ? FLAG_SENT_BY_ACCEPTOR : 0;
+ int senderFlagRecv = header[2] & FLAG_SENT_BY_ACCEPTOR;
+ if (senderFlagRecv != senderFlag) {
+ throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid acceptor flag");
+ }
+
+ int confFlagRecv = header[2] & FLAG_SEALED;
+ if (confFlagRecv == FLAG_SEALED && tokenType == TOKEN_WRAP_V2) {
+ prop.setPrivacy(true);
+ } else {
+ prop.setPrivacy(false);
+ }
+
+ if (tokenType == TOKEN_WRAP_V2) {
+ if (header[3] != (byte) 0xFF) {
+ throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid token filler");
+ }
+
+ ec = readBigEndian(header, OFFSET_EC, 2);
+ rrc = readBigEndian(header, OFFSET_RRC, 2);
+ } else if (tokenType == TOKEN_MIC_V2) {
+ for (int i = 3; i < 8; i++) {
+ if ((header[i] & 0xFF) != 0xFF) {
+ throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid token filler");
+ }
+ }
+ }
+
+ prop.setQOP(0);
+ sequenceNumber = readBigEndian(header, 0, 8);
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Phrase token header failed");
+ }
+ }
+
+ public int encodeHeader(byte[] buf, int offset) {
+ System.arraycopy(header, 0, buf, offset, TOKEN_HEADER_SIZE);
+ return TOKEN_HEADER_SIZE;
+ }
+
+ public void encodeHeader(OutputStream os) throws IOException {
+ os.write(header);
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8432c1a8/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssUtil.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssUtil.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssUtil.java
new file mode 100644
index 0000000..372abcb
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssUtil.java
@@ -0,0 +1,386 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gss.impl;
+
+import org.apache.kerby.kerberos.kerb.KrbException;
+import org.apache.kerby.kerberos.kerb.client.KrbClientBase;
+import org.apache.kerby.kerberos.kerb.type.KerberosTime;
+import org.apache.kerby.kerberos.kerb.type.ad.AuthorizationData;
+import org.apache.kerby.kerberos.kerb.type.ad.AuthorizationDataEntry;
+import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
+import org.apache.kerby.kerberos.kerb.type.base.HostAddress;
+import org.apache.kerby.kerberos.kerb.type.base.HostAddresses;
+import org.apache.kerby.kerberos.kerb.type.base.PrincipalName;
+import org.apache.kerby.kerberos.kerb.type.kdc.EncAsRepPart;
+import org.apache.kerby.kerberos.kerb.type.kdc.EncKdcRepPart;
+import org.apache.kerby.kerberos.kerb.type.kdc.EncTgsRepPart;
+import org.apache.kerby.kerberos.kerb.type.ticket.KrbTicket;
+import org.apache.kerby.kerberos.kerb.type.ticket.SgtTicket;
+import org.apache.kerby.kerberos.kerb.type.ticket.TgtTicket;
+import org.apache.kerby.kerberos.kerb.type.ticket.Ticket;
+import org.apache.kerby.kerberos.kerb.type.ticket.TicketFlags;
+import org.ietf.jgss.GSSException;
+import sun.security.jgss.GSSCaller;
+
+import javax.crypto.SecretKey;
+import javax.security.auth.kerberos.KerberosKey;
+import javax.security.auth.kerberos.KerberosPrincipal;
+import javax.security.auth.kerberos.KerberosTicket;
+import java.io.File;
+import java.io.IOException;
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+import java.nio.ByteBuffer;
+import java.security.AccessController;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
+import java.util.Date;
+import java.util.List;
+
+/**
+ * Some utility functions to translate types between GSS and Kerby
+ */
+public class GssUtil {
+ private static final int KERBEROS_TICKET_NUM_FLAGS = 32; // KerberosTicket.NUM_LENGTH
+
+ /**
+ * Construct TgtTicket from info contained in KerberosTicket
+ * @param kerberosTicket
+ * @return
+ * @throws GSSException
+ */
+ public static TgtTicket getTgtTicketFromKerberosTicket(KerberosTicket kerberosTicket) throws GSSException {
+ String clientName = kerberosTicket.getClient().getName();
+ PrincipalName clientPrincipal = new PrincipalName(clientName);
+
+ byte[] asn1Encoded = kerberosTicket.getEncoded();
+ Ticket ticket = getTicketFromAsn1Encoded(asn1Encoded);
+
+ EncAsRepPart encAsRepPart = new EncAsRepPart();
+ fillEncKdcRepPart(encAsRepPart, kerberosTicket);
+
+ TgtTicket tgt = new TgtTicket(ticket, encAsRepPart, clientPrincipal);
+ return tgt;
+ }
+
+ /**
+ * Init encKdcRepPart members with info from kerberosTicket
+ * @param encKdcRepPart
+ * @param kerberosTicket
+ */
+ public static void fillEncKdcRepPart(EncKdcRepPart encKdcRepPart, KerberosTicket kerberosTicket) {
+ String clientName = kerberosTicket.getClient().getName();
+ PrincipalName clientPrincipal = new PrincipalName(clientName);
+
+ SecretKey secretKey = kerberosTicket.getSessionKey();
+ int keyType = kerberosTicket.getSessionKeyType();
+ EncryptionKey key = new EncryptionKey(keyType, secretKey.getEncoded());
+ encKdcRepPart.setKey(key);
+
+ encKdcRepPart.setSname(clientPrincipal);
+ Date authTimeDate = kerberosTicket.getAuthTime();
+ if (authTimeDate != null) {
+ encKdcRepPart.setAuthTime(new KerberosTime(authTimeDate.getTime()));
+ }
+ Date startTimeDate = kerberosTicket.getStartTime();
+ if (startTimeDate != null) {
+ encKdcRepPart.setStartTime(new KerberosTime(startTimeDate.getTime()));
+ }
+ KerberosTime endTime = new KerberosTime(kerberosTicket.getEndTime().getTime());
+ encKdcRepPart.setEndTime(endTime);
+
+
+ InetAddress[] clientAddresses = kerberosTicket.getClientAddresses();
+ HostAddresses hostAddresses = null;
+ if (clientAddresses != null) {
+ hostAddresses = new HostAddresses();
+ for (InetAddress iAddr : clientAddresses) {
+ hostAddresses.add(new HostAddress(iAddr));
+ }
+ }
+ encKdcRepPart.setCaddr(hostAddresses);
+
+ boolean[] tf = kerberosTicket.getFlags();
+ TicketFlags ticketFlags = getTicketFlags(tf);
+ encKdcRepPart.setFlags(ticketFlags);
+
+
+ /* encKdcRepPart.setKeyExpiration();
+ encKdcRepPart.setLastReq();
+ encKdcRepPart.setNonce(); */
+
+ Date renewTillDate = kerberosTicket.getRenewTill();
+ KerberosTime renewTill = renewTillDate == null ? null : new KerberosTime(renewTillDate.getTime());
+ encKdcRepPart.setRenewTill(renewTill);
+
+ String serverRealm = kerberosTicket.getServer().getRealm();
+ encKdcRepPart.setSrealm(serverRealm);
+ }
+
+ /**
+ * Generate TicketFlags instance from flags
+ * @param flags each item in flags identifies an bit setted or not
+ * @return
+ */
+ public static TicketFlags getTicketFlags(boolean[] flags) {
+ if (flags == null || flags.length != KERBEROS_TICKET_NUM_FLAGS) {
+ return null;
+ }
+ int value = 0;
+ for (boolean flag : flags) {
+ value = (value << 1) + (flag ? 1 : 0);
+ }
+ return new TicketFlags(value);
+ }
+
+ /**
+ * Decode each flag in ticketFlags into an boolean array
+ * @param ticketFlags
+ * @return
+ */
+ public static boolean[] ticketFlagsToBooleans(TicketFlags ticketFlags) {
+ boolean[] ret = new boolean[KERBEROS_TICKET_NUM_FLAGS];
+ int value = ticketFlags.getFlags();
+ for (int i = 0; i < KERBEROS_TICKET_NUM_FLAGS; i++) {
+ ret[KERBEROS_TICKET_NUM_FLAGS - i - 1] = (value & 0x1) != 0;
+ value = value >> 1;
+ }
+ return ret;
+ }
+
+ /**
+ * Construct a Ticket from bytes encoded by Asn1
+ * @param encoded
+ * @return
+ * @throws GSSException
+ */
+ public static Ticket getTicketFromAsn1Encoded(byte[] encoded) throws GSSException {
+ Ticket ticket = new Ticket();
+ ByteBuffer byteBuffer = ByteBuffer.wrap(encoded);
+ try {
+ ticket.decode(byteBuffer);
+ return ticket;
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, e.getMessage());
+ }
+ }
+
+ /**
+ * Scan current context for SgtTicket
+ * @param client
+ * @param service
+ * @return
+ */
+ public static SgtTicket getSgtCredentialFromContext(GSSCaller caller, String client, String service)
+ throws GSSException {
+ KerberosTicket ticket = CredUtils.getKerberosTicketFromContext(caller, client, service);
+ return getSgtTicketFromKerberosTicket(ticket);
+ }
+
+ /**
+ * Construct a SgtTicket from KerberosTicket
+ * @param kerberosTicket
+ * @return
+ * @throws GSSException
+ */
+ public static SgtTicket getSgtTicketFromKerberosTicket(KerberosTicket kerberosTicket) throws GSSException {
+ if (kerberosTicket == null) {
+ return null;
+ }
+
+ Ticket ticket = getTicketFromAsn1Encoded(kerberosTicket.getEncoded());
+
+ EncTgsRepPart encTgsRepPart = new EncTgsRepPart();
+ fillEncKdcRepPart(encTgsRepPart, kerberosTicket);
+
+ SgtTicket sgt = new SgtTicket(ticket, encTgsRepPart);
+ return sgt;
+ }
+
+ /**
+ * Apply SgtTicket by sending TGS_REQ to KDC
+ * @param ticket
+ * @param service
+ * @return
+ */
+ public static SgtTicket applySgtCredential(KerberosTicket ticket, String service) throws GSSException {
+ TgtTicket tgt = getTgtTicketFromKerberosTicket(ticket);
+ return applySgtCredential(tgt, service);
+ }
+
+ public static SgtTicket applySgtCredential(TgtTicket tgt, String server) throws GSSException {
+ KrbClientBase client = getKrbClient();
+
+ SgtTicket sgt = null;
+ try {
+ client.init();
+ sgt = client.requestSgt(tgt, server);
+ return sgt;
+ } catch (KrbException e) {
+ throw new GSSException(GSSException.FAILURE, -1, e.getMessage());
+ }
+ }
+
+ public static KerberosTicket convertKrbTicketToKerberosTicket(KrbTicket krbTicket, String clientName)
+ throws GSSException {
+ byte[] asn1Encoding;
+ try {
+ asn1Encoding = krbTicket.getTicket().encode();
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, e.getMessage());
+ }
+
+ byte[] sessionKey = krbTicket.getSessionKey().getKeyData();
+ int keyType = krbTicket.getSessionKey().getKeyType().getValue();
+
+ EncKdcRepPart encKdcRepPart = krbTicket.getEncKdcRepPart();
+ KerberosPrincipal client = new KerberosPrincipal(clientName);
+
+ PrincipalName serverPrinc = krbTicket.getTicket().getSname();
+ String serverName = serverPrinc.getName() + "@" + krbTicket.getTicket().getRealm();
+ KerberosPrincipal server = new KerberosPrincipal(serverName, serverPrinc.getNameType().getValue());
+
+ TicketFlags ticketFlags = encKdcRepPart.getFlags();
+ boolean[] flags = ticketFlagsToBooleans(ticketFlags);
+
+ Date authTime = new Date(encKdcRepPart.getAuthTime().getTime());
+ Date startTime = new Date(encKdcRepPart.getStartTime().getTime());
+ Date endTime = new Date(encKdcRepPart.getEndTime().getTime());
+ Date renewTill = new Date(encKdcRepPart.getRenewTill().getTime());
+
+ InetAddress[] clientAddresses = null;
+ List<HostAddress> hostAddresses = encKdcRepPart.getCaddr().getElements();
+ if (hostAddresses != null) {
+ int i = 0;
+ clientAddresses = new InetAddress[hostAddresses.size()];
+ for (HostAddress hostAddr : hostAddresses) {
+ try {
+ InetAddress iAddr = InetAddress.getByAddress(hostAddr.getAddress());
+ clientAddresses[i++] = iAddr;
+ } catch (UnknownHostException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Bad client address");
+ }
+ }
+ }
+
+ KerberosTicket ticket = new KerberosTicket(
+ asn1Encoding,
+ client,
+ server,
+ sessionKey,
+ keyType,
+ flags,
+ authTime,
+ startTime,
+ endTime,
+ renewTill,
+ clientAddresses
+ );
+ return ticket;
+ }
+
+ public static KrbClientBase getKrbClient() {
+ KrbClientBase client;
+ try {
+ File confSpecified = new File(getSystemProperty("java.security.krb5.conf"));
+ if (confSpecified != null) {
+ client = new KrbClientBase(confSpecified);
+ } else {
+ client = new KrbClientBase(); // get configure file from environment variable or default path
+ }
+
+ return client;
+ } catch (KrbException e) {
+ return null;
+ }
+ }
+
+ public static EncryptionKey[] convertKerberosKeyToEncryptionKey(KerberosKey[] krbKeys) {
+ if (krbKeys == null) {
+ return null;
+ }
+ EncryptionKey[] keys = new EncryptionKey[krbKeys.length];
+ int i = 0;
+ for (KerberosKey krbKey : krbKeys) {
+ keys[i++] = new EncryptionKey(krbKey.getKeyType(), krbKey.getEncoded());
+ }
+ return keys;
+ }
+
+ /**
+ * Filter out an appropriate KerberosKey from krbKeys and generate a
+ * EncryptionKey accordingly
+ *
+ * @param krbKeys
+ * @param encType
+ * @param kvno
+ * @return
+ */
+ public static EncryptionKey getEncryptionKey(KerberosKey[] krbKeys, int encType, int kvno) {
+ if (krbKeys == null) {
+ return null;
+ }
+ for (KerberosKey krbKey : krbKeys) {
+ if (krbKey.getKeyType() == encType && krbKey.getVersionNumber() == kvno && !krbKey.isDestroyed()) {
+ return new EncryptionKey(krbKey.getKeyType(), krbKey.getEncoded());
+ }
+ }
+ return null;
+ }
+
+ /**
+ * Get value of predefined system property
+ * @param name
+ * @return
+ */
+ private static String getSystemProperty(String name) {
+ if (name == null) {
+ return null;
+ }
+
+ final String propertyName = name;
+ try {
+ return AccessController.doPrivileged(
+ new PrivilegedExceptionAction<String>() {
+ public String run() {
+ return System.getProperty(propertyName);
+ }
+ });
+ } catch (PrivilegedActionException e) {
+ return null; // ignored
+ }
+ }
+
+ public static com.sun.security.jgss.AuthorizationDataEntry[]
+ kerbyAuthorizationDataToJgssAuthorizationDataEntries(AuthorizationData authData) {
+ if (authData == null) {
+ return null;
+ }
+ List<AuthorizationDataEntry> kerbyEntries = authData.getElements();
+ com.sun.security.jgss.AuthorizationDataEntry[] entries =
+ new com.sun.security.jgss.AuthorizationDataEntry[kerbyEntries.size()];
+ for (int i = 0; i < kerbyEntries.size(); i++) {
+ entries[i] = new com.sun.security.jgss.AuthorizationDataEntry(
+ kerbyEntries.get(i).getAuthzType().getValue(),
+ kerbyEntries.get(i).getAuthzData());
+ }
+ return entries;
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8432c1a8/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/MicTokenV1.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/MicTokenV1.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/MicTokenV1.java
new file mode 100644
index 0000000..63baa6b
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/MicTokenV1.java
@@ -0,0 +1,92 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gss.impl;
+
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.MessageProp;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+
+public class MicTokenV1 extends GssTokenV1 {
+ public MicTokenV1(GssContext context,
+ byte[] inMsg,
+ int msgOffset,
+ int msgLength,
+ MessageProp messageProp) throws GSSException {
+ super(TOKEN_MIC_V1, context);
+ calcPrivacyInfo(messageProp, null, inMsg, msgOffset, msgLength, 0);
+ }
+
+ // This is called to construct MicToken from MicToken bytes
+ MicTokenV1(GssContext context,
+ MessageProp messageProp,
+ byte[] inToken,
+ int tokenOffset,
+ int tokenLength) throws GSSException {
+ super(TOKEN_MIC_V1, context, messageProp, inToken, tokenOffset, tokenLength);
+ }
+
+ public int getMic(byte[] outToken, int offset) throws GSSException, IOException {
+ byte[] data = getMic();
+ System.arraycopy(data, 0, outToken, offset, data.length);
+ return data.length;
+ }
+
+ /**
+ * Get bytes for this Mic token
+ * @return
+ */
+ public byte[] getMic() throws GSSException {
+ ByteArrayOutputStream os = new ByteArrayOutputStream(64);
+ getMic(os);
+ return os.toByteArray();
+ }
+
+ public void getMic(OutputStream os) throws GSSException {
+ try {
+ encodeHeader(os);
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Error in output MicTokenV1 bytes:" + e.getMessage());
+ }
+ }
+
+ public void verify(InputStream is) throws GSSException {
+ byte[] data;
+ try {
+ data = new byte[is.available()];
+ is.read(data);
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1,
+ "Read plain data for MicTokenV1 error:" + e.getMessage());
+ }
+ verify(data, 0, data.length);
+ }
+
+ public void verify(byte[] data, int offset, int len) throws GSSException {
+ verifyToken(null, data, offset, len, 0);
+ }
+
+ protected int getTokenSizeWithoutGssHeader() {
+ return getTokenHeaderSize();
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8432c1a8/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/MicTokenV2.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/MicTokenV2.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/MicTokenV2.java
new file mode 100644
index 0000000..2441823
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/MicTokenV2.java
@@ -0,0 +1,94 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gss.impl;
+
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.MessageProp;
+
+import java.io.IOException;
+import java.io.OutputStream;
+
+public class MicTokenV2 extends GssTokenV2 {
+ private MessageProp prop;
+
+ // This is called to construct MicToken from user input
+ MicTokenV2(GssContext context,
+ byte[] inMsg,
+ int msgOffset,
+ int msgLength,
+ MessageProp messageProp) throws GSSException {
+ super(TOKEN_MIC_V2, context);
+
+ prop = messageProp;
+ if (prop == null) {
+ prop = new MessageProp(0, false);
+ }
+
+ generateCheckSum(prop, inMsg, msgOffset, msgLength);
+ }
+
+ // This is called to construct MicToken from MicToken bytes
+ MicTokenV2(GssContext context,
+ MessageProp messageProp,
+ byte[] inToken,
+ int tokenOffset,
+ int tokenLength) throws GSSException {
+ super(TOKEN_MIC_V2, context, messageProp, inToken, tokenOffset, tokenLength);
+ this.prop = messageProp;
+ }
+
+ public int getMic(byte[] outToken, int offset) {
+ encodeHeader(outToken, offset);
+ System.arraycopy(checkSum, 0, outToken, TOKEN_HEADER_SIZE + offset, checkSum.length);
+ return TOKEN_HEADER_SIZE + checkSum.length;
+ }
+
+ /**
+ * Get bytes for this Mic token
+ * @return
+ */
+ public byte[] getMic() {
+ byte[] ret = new byte[TOKEN_HEADER_SIZE + checkSum.length];
+ getMic(ret, 0);
+ return ret;
+ }
+
+ public void getMic(OutputStream os) throws GSSException {
+ try {
+ encodeHeader(os);
+ os.write(checkSum);
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Output MicTokenV2 error:" + e.getMessage());
+ }
+ }
+
+ /**
+ * Calculate the checksum for inMsg and compare with it with this token, throw GssException if not equal
+ * @param inMsg
+ * @param msgOffset
+ * @param msgLen
+ * @throws GSSException
+ */
+ public void verify(byte[] inMsg, int msgOffset, int msgLen) throws GSSException {
+ if (!verifyCheckSum(inMsg, msgOffset, msgLen)) {
+ throw new GSSException(GSSException.BAD_MIC, -1, "Corrupt MIC token");
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8432c1a8/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/WrapTokenV1.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/WrapTokenV1.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/WrapTokenV1.java
new file mode 100644
index 0000000..03395bb
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/WrapTokenV1.java
@@ -0,0 +1,196 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gss.impl;
+
+import org.apache.kerby.kerberos.kerb.crypto.util.Random;
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.MessageProp;
+import sun.security.jgss.GSSHeader;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+
+public class WrapTokenV1 extends GssTokenV1 {
+ public static final int CONFOUNDER_SIZE = 8;
+
+ private boolean privacy;
+
+ private byte[] inData;
+ private int inOffset;
+ private int inLen;
+
+ private int paddingLen;
+ private byte[] confounder;
+ private int tokenBodyLen;
+
+ private byte[] bodyData;
+ private int bodyOffset;
+ private int bodyLen;
+
+ // for reconstruct
+ private int rawDataLength;
+ private byte[] rawData;
+ private int rawDataOffset;
+
+
+ // Generate wrap token according user data
+ public WrapTokenV1(GssContext context,
+ byte[] inMsg,
+ int msgOffset,
+ int msgLength,
+ MessageProp prop) throws GSSException {
+ super(TOKEN_WRAP_V1, context);
+
+ paddingLen = getPaddingLength(msgLength);
+ confounder = Random.makeBytes(CONFOUNDER_SIZE);
+ tokenBodyLen = CONFOUNDER_SIZE + msgLength + paddingLen;
+
+ calcPrivacyInfo(prop, confounder, inMsg, msgOffset, msgLength, paddingLen);
+
+ if (!context.getConfState()) {
+ prop.setPrivacy(false);
+ }
+ privacy = prop.getPrivacy();
+ inData = inMsg;
+ inOffset = msgOffset;
+ inLen = msgLength;
+ }
+
+ // Reconstruct a token from token bytes
+ public WrapTokenV1(GssContext context, MessageProp prop,
+ byte[] token, int offset, int len) throws GSSException {
+ super(TOKEN_WRAP_V1, context, prop, token, offset, len);
+ // adjust the offset to the beginning of the body
+ bodyData = token;
+ bodyOffset = offset + reconHeaderLen;
+ bodyLen = len - reconHeaderLen;
+ getRawData(prop);
+ }
+
+ // Reconstruct a token from token bytes stream
+ public WrapTokenV1(GssContext context, MessageProp prop, InputStream is) throws GSSException {
+ super(TOKEN_WRAP_V1, context, prop, is);
+ byte[] token;
+ int len;
+ try {
+ len = is.available();
+ token = new byte[len];
+ is.read(token);
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Read wrap token V1 error:" + e.getMessage());
+ }
+ bodyData = token;
+ bodyOffset = 0;
+ bodyLen = len;
+ getRawData(prop);
+ }
+
+ private void getRawData(MessageProp prop) throws GSSException {
+ privacy = prop.getPrivacy();
+ tokenBodyLen = getGssHeader().getMechTokenLength() - getTokenHeaderSize();
+
+ if (bodyLen < tokenBodyLen) {
+ throw new GSSException(GSSException.FAILURE, -1, "Insufficient data for Wrap token V1");
+ }
+
+ if (privacy) {
+ rawData = encryptor.encryptTokenV1(null, bodyData, bodyOffset, tokenBodyLen, 0,
+ encryptor.isArcFourHmac() ? getPlainSequenceBytes() : null, false);
+ paddingLen = rawData[rawData.length - 1];
+ rawDataOffset = CONFOUNDER_SIZE;
+ } else {
+ rawData = bodyData;
+ paddingLen = bodyData[bodyOffset + tokenBodyLen - 1];
+ rawDataOffset = bodyOffset + CONFOUNDER_SIZE;
+ }
+ rawDataLength = tokenBodyLen - CONFOUNDER_SIZE - paddingLen;
+
+ verifyToken(null, rawData, rawDataOffset - CONFOUNDER_SIZE, tokenBodyLen, 0);
+ }
+
+ // Get plain text data from token data bytes
+ public byte[] unwrap() throws GSSException {
+ byte[] ret = new byte[rawDataLength];
+ System.arraycopy(rawData, rawDataOffset, ret, 0, rawDataLength);
+ return ret;
+ }
+
+ public void unwrap(OutputStream os) throws GSSException {
+ try {
+ os.write(rawData, rawDataOffset, rawDataLength);
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1,
+ "Error in output wrap token v1 data bytes:" + e.getMessage());
+ }
+ }
+
+ public byte[] wrap() throws GSSException {
+ ByteArrayOutputStream os = new ByteArrayOutputStream(getTokenSizeWithoutGssHeader() + inLen + 64);
+ wrap(os);
+ return os.toByteArray();
+ }
+
+ public void wrap(OutputStream os) throws GSSException {
+ try {
+ encodeHeader(os);
+ if (privacy) {
+ byte[] enc = encryptor.encryptTokenV1(confounder, inData, inOffset, inLen, paddingLen,
+ encryptor.isArcFourHmac() ? getPlainSequenceBytes() : null, true);
+ os.write(enc);
+ } else {
+ os.write(confounder);
+ os.write(inData, inOffset, inLen);
+ os.write(getPaddingBytes(paddingLen));
+ }
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Error in output wrap token v1 bytes:" + e.getMessage());
+ }
+ }
+
+ protected int getTokenSizeWithoutGssHeader() {
+ return tokenBodyLen + getTokenHeaderSize();
+ }
+
+ private int getPaddingLength(int dataLen) {
+ if (encryptor.isArcFourHmac()) {
+ return 1;
+ }
+ return 8 - (dataLen % 8);
+ }
+
+ private byte[] getPaddingBytes(int len) {
+ byte[] ret = new byte[len];
+ int i = 0;
+ while (i < len) {
+ ret[i++] = (byte) len;
+ }
+ return ret;
+ }
+
+ public static int getMsgSizeLimit(int qop, boolean confReq, int maxTokSize, GssEncryptor encryptor)
+ throws GSSException {
+ return GSSHeader.getMaxMechTokenSize(objId, maxTokSize)
+ - encryptor.getCheckSumSize()
+ - TOKEN_HEADER_COMM_SIZE - TOKEN_HEADER_SEQ_SIZE
+ - CONFOUNDER_SIZE - 8;
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8432c1a8/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/WrapTokenV2.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/WrapTokenV2.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/WrapTokenV2.java
new file mode 100644
index 0000000..3161e2f
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/WrapTokenV2.java
@@ -0,0 +1,158 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gss.impl;
+
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.MessageProp;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+
+
+public class WrapTokenV2 extends GssTokenV2 {
+ private MessageProp prop;
+
+ // Generate a token from user input data
+ WrapTokenV2(GssContext context,
+ byte[] data,
+ int dataOffset,
+ int dataLength,
+ MessageProp messageProp) throws GSSException {
+ super(TOKEN_WRAP_V2, context);
+
+ prop = messageProp;
+
+ if (prop.getQOP() != 0) {
+ prop.setQOP(0);
+ }
+
+ if (!context.getConfState()) {
+ prop.setPrivacy(false);
+ }
+
+ generateCheckSum(prop, data, dataOffset, dataLength);
+
+ if (prop.getPrivacy()) {
+ byte[] toProcess = new byte[dataLength + TOKEN_HEADER_SIZE];
+ System.arraycopy(data, dataOffset, toProcess, 0, dataLength);
+ encodeHeader(toProcess, dataLength);
+
+ tokenData = encryptor.encryptData(toProcess, getKeyUsage());
+ } else {
+ tokenData = data; // keep it for now
+ }
+ }
+
+ /**
+ * Get bytes of the token
+ * @return
+ */
+ public byte[] wrap() {
+ int dataSize = tokenData.length;
+ int ckSize = checkSum == null ? 0 : checkSum.length;
+ byte[] ret = new byte[TOKEN_HEADER_SIZE + dataSize + ckSize];
+ encodeHeader(ret, 0);
+ System.arraycopy(tokenData, 0, ret, TOKEN_HEADER_SIZE, dataSize);
+ if (ckSize > 0) {
+ System.arraycopy(checkSum, 0, ret, TOKEN_HEADER_SIZE + dataSize, ckSize);
+ }
+ return ret;
+ }
+
+ public void wrap(OutputStream os) throws GSSException {
+ try {
+ encodeHeader(os);
+ os.write(tokenData);
+ int ckSize = checkSum == null ? 0 : checkSum.length;
+ if (ckSize > 0) {
+ os.write(checkSum);
+ }
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Output token error:" + e.getMessage());
+ }
+ }
+
+ // Reconstruct a token from token bytes
+ public WrapTokenV2(GssContext context, MessageProp prop, byte[] token, int offset, int len) throws GSSException {
+ super(TOKEN_WRAP_V2, context, prop, token, offset, len);
+ this.prop = prop;
+ }
+
+ // Reconstruct a token from token bytes stream
+ public WrapTokenV2(GssContext context, MessageProp prop, InputStream is) throws GSSException {
+ super(TOKEN_WRAP_V2, context, prop, is);
+ this.prop = prop;
+ }
+
+ /**
+ * Get plain text data from token bytes
+ * @param outBuffer
+ * @param offset
+ * @return plain text contained in the wrap token
+ * @throws GSSException
+ */
+ public byte[] unwrap(byte[] outBuffer, int offset) throws GSSException {
+ int lenToCopy;
+ if (prop.getPrivacy()) {
+ byte[] plainText = encryptor.decryptData(tokenData, getKeyUsage());
+ lenToCopy = plainText.length - TOKEN_HEADER_SIZE;
+ if (outBuffer == null) {
+ outBuffer = new byte[lenToCopy];
+ offset = 0;
+ }
+ System.arraycopy(plainText, 0, outBuffer, offset, lenToCopy);
+ } else {
+ lenToCopy = tokenData.length - encryptor.getCheckSumSize();
+ if (outBuffer == null) {
+ outBuffer = new byte[lenToCopy];
+ offset = 0;
+ }
+ System.arraycopy(tokenData, 0, outBuffer, offset, lenToCopy);
+
+ if (!verifyCheckSum(outBuffer, offset, lenToCopy)) {
+ throw new GSSException(GSSException.BAD_MIC, -1, "Corrupt token checksum");
+ }
+ }
+ return outBuffer;
+ }
+
+ public byte[] unwrap() throws GSSException {
+ return unwrap(null, 0);
+ }
+
+ public void unwrap(OutputStream os) throws GSSException {
+ byte[] data = unwrap();
+ try {
+ os.write(data);
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Output token error:" + e.getMessage());
+ }
+ }
+
+ public static int getMsgSizeLimit(int qop, boolean confReq, int maxTokSize, GssEncryptor encryptor)
+ throws GSSException {
+ if (confReq) {
+ return maxTokSize - encryptor.getCheckSumSize() - TOKEN_HEADER_SIZE * 2 - CONFOUNDER_SIZE;
+ } else {
+ return maxTokSize - encryptor.getCheckSumSize() - TOKEN_HEADER_SIZE;
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8432c1a8/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/KerbyMechFactory.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/KerbyMechFactory.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/KerbyMechFactory.java
deleted file mode 100644
index adacb27..0000000
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/KerbyMechFactory.java
+++ /dev/null
@@ -1,149 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.kerberos.kerb.gssapi;
-
-import org.apache.kerby.kerberos.kerb.gssapi.krb5.KerbyAcceptCred;
-import org.apache.kerby.kerberos.kerb.gssapi.krb5.KerbyContext;
-import org.apache.kerby.kerberos.kerb.gssapi.krb5.KerbyCredElement;
-import org.apache.kerby.kerberos.kerb.gssapi.krb5.KerbyInitCred;
-import org.apache.kerby.kerberos.kerb.gssapi.krb5.KerbyNameElement;
-import org.ietf.jgss.GSSCredential;
-import org.ietf.jgss.GSSException;
-import org.ietf.jgss.GSSName;
-import org.ietf.jgss.Oid;
-import sun.security.jgss.GSSCaller;
-import sun.security.jgss.spi.GSSContextSpi;
-import sun.security.jgss.spi.GSSCredentialSpi;
-import sun.security.jgss.spi.GSSNameSpi;
-import sun.security.jgss.spi.MechanismFactory;
-
-import java.security.Provider;
-
-/**
- * Kerby Kerberos V5 plugin for JGSS
- */
-public class KerbyMechFactory implements MechanismFactory {
- private static final Provider PROVIDER =
- new org.apache.kerby.kerberos.kerb.gssapi.Provider();
-
- private static final String KRB5_OID_STRING = "1.2.840.113554.1.2.2";
- private static final Oid KRB5_OID = createOid(KRB5_OID_STRING);
-
- private static Oid[] nameTypes =
- new Oid[] {
- GSSName.NT_USER_NAME,
- GSSName.NT_EXPORT_NAME,
- GSSName.NT_HOSTBASED_SERVICE
- };
-
- private final GSSCaller caller;
-
- public Oid getMechanismOid() {
- return KRB5_OID;
- }
-
- public Provider getProvider() {
- return PROVIDER;
- }
-
- public Oid[] getNameTypes() throws GSSException {
- return nameTypes;
- }
-
- public KerbyMechFactory(GSSCaller caller) {
- this.caller = caller;
- }
-
- public GSSNameSpi getNameElement(String nameStr, Oid nameType)
- throws GSSException {
- return KerbyNameElement.getInstance(nameStr, nameType);
- }
-
- public GSSNameSpi getNameElement(byte[] name, Oid nameType)
- throws GSSException {
- return KerbyNameElement.getInstance(name.toString(), nameType);
- }
-
- // Used by initiator
- public GSSContextSpi getMechanismContext(GSSNameSpi peer,
- GSSCredentialSpi myInitiatorCred,
- int lifetime) throws GSSException {
- if (peer != null && !(peer instanceof KerbyNameElement)) {
- peer = KerbyNameElement.getInstance(peer.toString(), peer.getStringNameType());
- }
- if (myInitiatorCred == null) {
- myInitiatorCred = getCredentialElement(null, lifetime, 0, GSSCredential.INITIATE_ONLY);
- }
- return new KerbyContext(caller, (KerbyNameElement) peer, (KerbyInitCred) myInitiatorCred, lifetime);
- }
-
- public GSSContextSpi getMechanismContext(GSSCredentialSpi myAcceptorCred)
- throws GSSException {
- if (myAcceptorCred == null) {
- myAcceptorCred = getCredentialElement(null, 0,
- GSSCredential.INDEFINITE_LIFETIME, GSSCredential.ACCEPT_ONLY);
- }
- return new KerbyContext(caller, (KerbyAcceptCred) myAcceptorCred);
- }
-
- // Reconstruct from previously exported context
- public GSSContextSpi getMechanismContext(byte[] exportedContext)
- throws GSSException {
- return new KerbyContext(caller, exportedContext);
- }
-
- public GSSCredentialSpi getCredentialElement(GSSNameSpi name,
- int initLifetime,
- int acceptLifetime,
- int usage)
- throws GSSException {
- if (name != null && !(name instanceof KerbyNameElement)) {
- name = KerbyNameElement.getInstance(name.toString(), name.getStringNameType());
- }
-
- KerbyCredElement credElement;
-
- if (usage == GSSCredential.INITIATE_ONLY) {
- credElement = KerbyInitCred.getInstance(caller, (KerbyNameElement) name, initLifetime);
- } else if (usage == GSSCredential.ACCEPT_ONLY) {
- credElement = KerbyAcceptCred.getInstance(caller, (KerbyNameElement) name, acceptLifetime);
- } else if (usage == GSSCredential.INITIATE_AND_ACCEPT) {
- throw new GSSException(GSSException.FAILURE, -1, "Unsupported usage mode: INITIATE_AND_ACCEPT");
- } else {
- throw new GSSException(GSSException.FAILURE, -1, "Unknown usage mode: " + usage);
- }
-
- return credElement;
- }
-
- private static Oid createOid(String oidStr) {
- Oid retVal;
- try {
- retVal = new Oid(oidStr);
- } catch (GSSException e) {
- retVal = null;
- }
- return retVal;
- }
-
- public static Oid getOid() {
- return KRB5_OID;
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8432c1a8/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/Provider.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/Provider.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/Provider.java
deleted file mode 100644
index ad3a614..0000000
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/Provider.java
+++ /dev/null
@@ -1,46 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.kerberos.kerb.gssapi;
-
-import java.security.AccessController;
-import java.security.PrivilegedAction;
-
-/**
- * Proivder is used to register the implementation of gssapi mechanism into the system
- */
-public final class Provider extends java.security.Provider {
- private static final long serialVersionUID = 3787378212107821987L;
- private static final String INFO = "Kerby GssApi Provider";
- private static final String MECHANISM_GSSAPI = "GssApiMechanism.1.2.840.113554.1.2.2";
- private static final String MECHANISM_GSSAPI_CLASS = "org.apache.kerby.kerberos.kerb.gssapi.KerbyMechFactory";
-
- public Provider() {
- super("KerbyGssApi", 0.01d, INFO);
-
- AccessController.doPrivileged(new PrivilegedAction<Void>() {
- public Void run() {
-
- put(MECHANISM_GSSAPI, MECHANISM_GSSAPI_CLASS);
-
- return null;
- }
- });
- }
-}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8432c1a8/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/CredUtils.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/CredUtils.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/CredUtils.java
deleted file mode 100644
index f7ddc31..0000000
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/CredUtils.java
+++ /dev/null
@@ -1,89 +0,0 @@
-package org.apache.kerby.kerberos.kerb.gssapi.krb5;
-
-import org.ietf.jgss.GSSException;
-import sun.security.jgss.GSSCaller;
-
-import javax.security.auth.Subject;
-import javax.security.auth.kerberos.*;
-import java.security.AccessControlContext;
-import java.security.AccessController;
-import java.security.PrivilegedActionException;
-import java.security.PrivilegedExceptionAction;
-import java.util.Set;
-
-/**
- * Utility functions to deal with credentials in Context
- */
-public class CredUtils {
-
- public static <T> Set<T> getContextPrivateCredentials(Class<T> credentialType, AccessControlContext acc) {
- Subject subject = Subject.getSubject(acc);
- Set<T> creds = subject.getPrivateCredentials(credentialType);
- return creds;
- }
-
- public static <T> Set<T> getContextCredentials(final Class<T> credentialType) throws GSSException {
- final AccessControlContext acc = AccessController.getContext();
- try {
- return AccessController.doPrivileged(
- new PrivilegedExceptionAction<Set<T>>() {
- public Set<T> run() throws Exception {
- return CredUtils.getContextPrivateCredentials(credentialType, acc);
- }
- });
- } catch (PrivilegedActionException e) {
- throw new GSSException(GSSException.NO_CRED, -1, "Get credential from context failed");
- }
- }
-
- public static KerberosTicket getKerberosTicketFromContext(GSSCaller caller,
- final String clientName,
- final String serverName) throws GSSException {
- Set<KerberosTicket> tickets = getContextCredentials(KerberosTicket.class);
- for (KerberosTicket ticket : tickets) {
- if (ticket.isCurrent() && (serverName == null || ticket.getServer().getName().equals(serverName))
- && (clientName == null || ticket.getClient().getName().equals(clientName))) {
- return ticket;
- }
- }
- return null;
- }
-
- public static KeyTab getKeyTabFromContext(KerberosPrincipal principal) throws GSSException {
- Set<KeyTab> tabs = getContextCredentials(KeyTab.class);
- for (KeyTab tab : tabs) {
- KerberosKey[] keys = tab.getKeys(principal);
- if (keys != null && keys.length > 0) {
- return tab;
- }
- }
- return null;
- }
-
- public static void addCredentialToSubject(final KerberosTicket ticket) throws GSSException {
- final AccessControlContext acc = AccessController.getContext();
-
- final Subject subject = AccessController.doPrivileged(
- new java.security.PrivilegedAction<Subject>() {
- public Subject run() {
- return Subject.getSubject(acc);
- }
- });
-
- AccessController.doPrivileged(
- new java.security.PrivilegedAction<Void>() {
- public Void run() {
- subject.getPrivateCredentials().add(ticket);
- return null;
- }
- });
- }
-
- public static void checkPrincipalPermission(String principalName, String action) {
- SecurityManager sm = System.getSecurityManager();
- if (sm != null) {
- ServicePermission sp = new ServicePermission(principalName, action);
- sm.checkPermission(sp);
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8432c1a8/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyAcceptCred.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyAcceptCred.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyAcceptCred.java
deleted file mode 100644
index a7331fa..0000000
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyAcceptCred.java
+++ /dev/null
@@ -1,72 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.kerberos.kerb.gssapi.krb5;
-
-
-import org.ietf.jgss.GSSException;
-import sun.security.jgss.GSSCaller;
-
-import javax.security.auth.kerberos.KerberosKey;
-import javax.security.auth.kerberos.KerberosPrincipal;
-import javax.security.auth.kerberos.KeyTab;
-
-public final class KerbyAcceptCred extends KerbyCredElement {
-
- private final KeyTab keyTab;
-
- public static KerbyAcceptCred getInstance(final GSSCaller caller,
- KerbyNameElement name, int lifeTime) throws GSSException {
-
- KerberosPrincipal princ = new KerberosPrincipal(name.getPrincipalName().getName(),
- name.getPrincipalName().getNameType().getValue());
- KeyTab keyTab = CredUtils.getKeyTabFromContext(princ);
-
- if (keyTab == null) {
- throw new GSSException(GSSException.NO_CRED, -1,
- "Failed to find any Kerberos credential for " + name.getPrincipalName().getName());
- }
-
- return new KerbyAcceptCred(caller, name, keyTab, lifeTime);
- }
-
- private KerbyAcceptCred(GSSCaller caller, KerbyNameElement name, KeyTab keyTab, int lifeTime) {
- super(caller, name);
- this.keyTab = keyTab;
- this.accLifeTime = lifeTime;
- }
-
- public boolean isInitiatorCredential() throws GSSException {
- return false;
- }
-
- public boolean isAcceptorCredential() throws GSSException {
- return true;
- }
-
- public KeyTab getKeyTab() {
- return this.keyTab;
- }
-
- public KerberosKey[] getKeys() {
- KerberosPrincipal princ = new KerberosPrincipal(name.getPrincipalName().getName(),
- name.getPrincipalName().getNameType().getValue());
- return keyTab.getKeys(princ);
- }
-}
[10/50] [abbrv] directory-kerby git commit: DIRKRB-565 Implement Gss
tokens defined in RFC 4121. Contributed by Wei.
Posted by co...@apache.org.
DIRKRB-565 Implement Gss tokens defined in RFC 4121. Contributed by Wei.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/c810a30d
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/c810a30d
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/c810a30d
Branch: refs/heads/gssapi
Commit: c810a30d38d054ea45724bb5c62af18ec7ffb1f6
Parents: 2e81a84
Author: plusplusjiajia <ji...@intel.com>
Authored: Wed May 11 13:48:55 2016 +0800
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 12:25:02 2017 +0100
----------------------------------------------------------------------
.../kerberos/kerb/gssapi/krb5/KerbyContext.java | 10 +
.../kerb/gssapi/krb5/KerbyGssEncryptor.java | 138 +++++++++
.../kerb/gssapi/krb5/KerbyGssTokenBase.java | 59 ++++
.../kerb/gssapi/krb5/KerbyGssTokenV2.java | 282 +++++++++++++++++++
.../kerberos/kerb/gssapi/krb5/KerbyUtil.java | 1 -
.../kerberos/kerb/gssapi/krb5/MicTokenV2.java | 94 +++++++
.../kerberos/kerb/gssapi/krb5/WrapTokenV2.java | 153 ++++++++++
7 files changed, 736 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/c810a30d/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
index e017683..b450cc9 100644
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
@@ -86,6 +86,8 @@ public class KerbyContext implements GSSContextSpi {
private TicketFlags ticketFlags;
private ApReq outApReq;
+ private KerbyGssEncryptor gssEncryptor;
+
// Called on initiator's side.
public KerbyContext(GSSCaller caller, KerbyNameElement peerName, KerbyCredElement myCred,
int lifeTime)
@@ -294,11 +296,13 @@ public class KerbyContext implements GSSContextSpi {
ctxState = STATE_ESTABLISHING;
if (!getMutualAuthState()) {
+ gssEncryptor = new KerbyGssEncryptor(getSessionKey());
ctxState = STATE_ESTABLISHED;
}
} else if (ctxState == STATE_ESTABLISHING) {
verifyServerToken(is, mechTokenSize);
+ gssEncryptor = new KerbyGssEncryptor(getSessionKey());
outApReq = null;
ctxState = STATE_ESTABLISHED;
}
@@ -389,6 +393,8 @@ public class KerbyContext implements GSSContextSpi {
ret = verifyClientToken(acceptCred, is, mechTokenSize);
}
+ gssEncryptor = new KerbyGssEncryptor(getSessionKey());
+
myCred = null;
ctxState = STATE_ESTABLISHED;
}
@@ -607,4 +613,8 @@ public class KerbyContext implements GSSContextSpi {
return peerSequenceNumber++;
}
}
+
+ public KerbyGssEncryptor getGssEncryptor() {
+ return gssEncryptor;
+ }
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/c810a30d/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssEncryptor.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssEncryptor.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssEncryptor.java
new file mode 100644
index 0000000..d65346b
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssEncryptor.java
@@ -0,0 +1,138 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gssapi.krb5;
+
+
+import org.apache.kerby.kerberos.kerb.KrbException;
+import org.apache.kerby.kerberos.kerb.crypto.CheckSumHandler;
+import org.apache.kerby.kerberos.kerb.crypto.CheckSumTypeHandler;
+import org.apache.kerby.kerberos.kerb.crypto.EncTypeHandler;
+import org.apache.kerby.kerberos.kerb.crypto.EncryptionHandler;
+import org.apache.kerby.kerberos.kerb.type.base.CheckSumType;
+import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
+import org.apache.kerby.kerberos.kerb.type.base.EncryptionType;
+import org.ietf.jgss.GSSException;
+
+/**
+ * This class implements encryption related function used in GSS tokens
+ */
+public class KerbyGssEncryptor {
+
+ private EncryptionKey encKey;
+ private boolean isV2 = false;
+
+ public KerbyGssEncryptor(EncryptionKey key) throws GSSException {
+ encKey = key;
+ EncryptionType keyType = key.getKeyType();
+ // TODO: add support for other algorithms
+ if (keyType == EncryptionType.AES128_CTS_HMAC_SHA1_96
+ || keyType == EncryptionType.AES256_CTS_HMAC_SHA1_96) {
+ isV2 = true;
+ } else {
+ throw new GSSException(GSSException.FAILURE, -1,
+ "Invalid encryption type: " + key.getKeyType().getDisplayName());
+ }
+ }
+
+ /**
+ * Return true if it is encryption type defined in RFC 4121
+ * @return
+ */
+ public boolean isV2() {
+ return isV2;
+ }
+
+ public byte[] encryptData(byte[] tokenHeader, byte[] data,
+ int offset, int len, int keyUsage) throws GSSException {
+ byte[] ret;
+ byte[] toProcess = new byte[tokenHeader.length + len];
+ System.arraycopy(data, offset, toProcess, 0, len);
+ System.arraycopy(tokenHeader, 0, toProcess, len, tokenHeader.length);
+
+ ret = encryptData(toProcess, keyUsage);
+ return ret;
+ }
+
+ public byte[] encryptData(byte[] toProcess, int keyUsage) throws GSSException {
+ byte[] ret;
+ try {
+ EncTypeHandler encHandler = EncryptionHandler.getEncHandler(encKey.getKeyType());
+ ret = encHandler.encrypt(toProcess, encKey.getKeyData(), keyUsage);
+ } catch (KrbException e) {
+ throw new GSSException(GSSException.FAILURE, -1, e.getMessage());
+ }
+ return ret;
+ }
+
+ public byte[] decryptData(byte[] dataEncrypted, int keyUsage) throws GSSException {
+ byte[] ret;
+ try {
+ EncTypeHandler encHandler = EncryptionHandler.getEncHandler(encKey.getKeyType());
+ ret = encHandler.decrypt(dataEncrypted, encKey.getKeyData(), keyUsage);
+ } catch (KrbException e) {
+ throw new GSSException(GSSException.FAILURE, -1, e.getMessage());
+ }
+ return ret;
+ }
+
+ public byte[] calculateCheckSum(byte[] header, byte[] data, int offset, int len, int keyUsage)
+ throws GSSException {
+ int totalLen = len + (header == null ? 0 : header.length);
+ byte[] buffer = new byte[totalLen];
+ System.arraycopy(data, offset, buffer, 0, len);
+ if (header != null) {
+ System.arraycopy(header, 0, buffer, len, header.length);
+ }
+
+ try {
+ return getCheckSumHandler().checksumWithKey(buffer, encKey.getKeyData(), keyUsage);
+ } catch (KrbException e) {
+ throw new GSSException(GSSException.FAILURE, -1,
+ "Exception in checksum calculation:" + encKey.getKeyType().getName());
+ }
+ }
+
+ private CheckSumTypeHandler getCheckSumHandler() throws GSSException {
+ CheckSumType checkSumType;
+ if (encKey.getKeyType() == EncryptionType.AES128_CTS_HMAC_SHA1_96) {
+ checkSumType = CheckSumType.HMAC_SHA1_96_AES128;
+ } else if (encKey.getKeyType() == EncryptionType.AES256_CTS_HMAC_SHA1_96) {
+ checkSumType = CheckSumType.HMAC_SHA1_96_AES256;
+ } else {
+ throw new GSSException(GSSException.FAILURE, -1,
+ "Unsupported checksum encryption type:" + encKey.getKeyType().getName());
+ }
+ try {
+ return CheckSumHandler.getCheckSumHandler(checkSumType);
+ } catch (KrbException e) {
+ throw new GSSException(GSSException.FAILURE, -1,
+ "Unsupported checksum type:" + checkSumType.getName());
+ }
+ }
+
+ /**
+ * Get the size of the corresponding checksum algorithm
+ * @return
+ * @throws GSSException
+ */
+ public int getCheckSumSize() throws GSSException {
+ return getCheckSumHandler().cksumSize();
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/c810a30d/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssTokenBase.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssTokenBase.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssTokenBase.java
new file mode 100644
index 0000000..ae5122f
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssTokenBase.java
@@ -0,0 +1,59 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gssapi.krb5;
+
+
+public abstract class KerbyGssTokenBase {
+ public static final int TOKEN_WRAP_V1 = 0x201;
+ public static final int TOKEN_MIC_V1 = 0x101;
+ public static final int TOKEN_WRAP_V2 = 0x504;
+ public static final int TOKEN_MIC_V2 = 0x404;
+
+ public void writeBigEndian(byte[] buf, int offset, int value) {
+ buf[offset] = (byte) (value >>> 24);
+ buf[offset + 1] = (byte) (value >>> 16);
+ buf[offset + 2] = (byte) (value >>> 8);
+ buf[offset + 3] = (byte) (value);
+ }
+
+ public int readBigEndian(byte[] buf, int offset) {
+ int value = 0;
+ value += (buf[offset] & 0xFF) << 24;
+ value += (buf[offset + 1] & 0xFF) << 16;
+ value += (buf[offset + 2] & 0xFF) << 8;
+ value += buf[offset + 3] & 0xFF;
+ return value;
+ }
+
+ /**
+ *
+ * @param buf
+ * @param offset
+ * @param len should not be larger than sizeof(int)
+ * @return
+ */
+ public int readBigEndian(byte[] buf, int offset, int len) {
+ int value = 0;
+ for (int i = 0; i < len; i++) {
+ value += (buf[offset + i] & 0xFF) << 8;
+ }
+ return value;
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/c810a30d/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssTokenV2.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssTokenV2.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssTokenV2.java
new file mode 100644
index 0000000..f2d220a
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssTokenV2.java
@@ -0,0 +1,282 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gssapi.krb5;
+
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.MessageProp;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.security.MessageDigest;
+
+/**
+ * This class implements the token formats defined in RFC 4121.
+ */
+abstract class KerbyGssTokenV2 extends KerbyGssTokenBase {
+ public static final int CONFOUNDER_SIZE = 16;
+ public static final int TOKEN_HEADER_SIZE = 16;
+ private static final int OFFSET_EC = 4;
+ private static final int OFFSET_RRC = 6;
+
+ // context states
+ private boolean isInitiator = true;
+ private boolean acceptorSubKey = false;
+ private boolean confState = true;
+ private int sequenceNumber;
+
+ // token data
+ protected int tokenType;
+ private byte[] header = new byte[TOKEN_HEADER_SIZE];
+ protected byte[] tokenData;
+
+ protected byte[] checkSum;
+ private int ec;
+ private int rrc;
+
+ static final int KG_USAGE_ACCEPTOR_SEAL = 22;
+ static final int KG_USAGE_ACCEPTOR_SIGN = 23;
+ static final int KG_USAGE_INITIATOR_SEAL = 24;
+ static final int KG_USAGE_INITIATOR_SIGN = 25;
+ private int keyUsage;
+
+ private static final int FLAG_SENT_BY_ACCEPTOR = 1;
+ private static final int FLAG_SEALED = 2;
+ private static final int FLAG_ACCEPTOR_SUBKEY = 4;
+
+ protected KerbyGssEncryptor encryptor;
+
+
+ // Create a new token
+ KerbyGssTokenV2(int tokenType, KerbyContext context) throws GSSException {
+ initialize(tokenType, context, false);
+ }
+
+ private void initialize(int tokenType, KerbyContext context, boolean reconstruct) throws GSSException {
+ this.tokenType = tokenType;
+ this.isInitiator = context.isInitiator();
+ this.acceptorSubKey = context.getKeyComesFrom() == KerbyContext.ACCEPTOR_SUBKEY;
+ this.confState = context.getConfState();
+
+ boolean usageFlag = reconstruct ? !this.isInitiator : this.isInitiator;
+ if (tokenType == TOKEN_WRAP_V2) {
+ keyUsage = usageFlag ? KG_USAGE_INITIATOR_SEAL : KG_USAGE_ACCEPTOR_SEAL;
+ } else if (tokenType == TOKEN_MIC_V2) {
+ keyUsage = usageFlag ? KG_USAGE_INITIATOR_SIGN : KG_USAGE_ACCEPTOR_SIGN;
+ }
+
+ encryptor = context.getGssEncryptor();
+
+ if (!reconstruct) {
+ this.sequenceNumber = context.incMySequenceNumber();
+ }
+ }
+
+ // Reconstruct token from bytes received
+ KerbyGssTokenV2(int tokenType, KerbyContext context,
+ MessageProp prop, byte[] token, int offset, int len) throws GSSException {
+ this(tokenType, context, prop, new ByteArrayInputStream(token, offset, len));
+ }
+
+ // Reconstruct token from input stream
+ KerbyGssTokenV2(int tokenType, KerbyContext context,
+ MessageProp prop, InputStream is) throws GSSException {
+ initialize(tokenType, context, true);
+
+ if (!confState) {
+ prop.setPrivacy(false);
+ }
+
+ reconstructTokenHeader(prop, is);
+
+ int minSize;
+ if (tokenType == TOKEN_WRAP_V2 && prop.getPrivacy()) {
+ minSize = CONFOUNDER_SIZE + TOKEN_HEADER_SIZE + encryptor.getCheckSumSize();
+ } else {
+ minSize = encryptor.getCheckSumSize();
+ }
+
+ try {
+ int tokenLen = is.available();
+
+ if (tokenType == TOKEN_MIC_V2) {
+ tokenLen = minSize;
+ tokenData = new byte[tokenLen];
+ is.read(tokenData);
+ } else {
+ if (tokenLen >= minSize) {
+ tokenData = new byte[tokenLen];
+ is.read(tokenData);
+ } else {
+ throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid token length");
+ }
+ }
+
+ if (tokenType == TOKEN_WRAP_V2) {
+ tokenData = rotate(tokenData);
+ }
+
+ if (tokenType == TOKEN_MIC_V2
+ || tokenType == TOKEN_WRAP_V2 && !prop.getPrivacy()) {
+ int checksumLen = encryptor.getCheckSumSize();
+
+ if (tokenType != TOKEN_MIC_V2 && checksumLen != ec) {
+ throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid EC");
+ }
+
+ checkSum = new byte[checksumLen];
+ System.arraycopy(tokenData, tokenLen - checksumLen, checkSum, 0, checksumLen);
+ }
+ } catch (IOException e) {
+ throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid token");
+ }
+ }
+
+ private byte[] rotate(byte[] data) {
+ int dataLen = data.length;
+ if (rrc % dataLen != 0) {
+ rrc = rrc % dataLen;
+ byte[] newBytes = new byte[dataLen];
+
+ System.arraycopy(data, rrc, newBytes, 0, dataLen - rrc);
+ System.arraycopy(data, 0, newBytes, dataLen - rrc, rrc);
+ data = newBytes;
+ }
+ return data;
+ }
+
+ public int getKeyUsage() {
+ return keyUsage;
+ }
+
+ public void generateCheckSum(MessageProp prop, byte[] data, int offset, int len) throws GSSException {
+ // generate token header
+ createTokenHeader(prop.getPrivacy());
+
+ if (tokenType == TOKEN_MIC_V2
+ || !prop.getPrivacy() && tokenType == TOKEN_WRAP_V2) {
+ checkSum = getCheckSum(data, offset, len);
+ }
+
+ if (!prop.getPrivacy() && tokenType == TOKEN_WRAP_V2) {
+ header[4] = (byte) (checkSum.length >>> 8);
+ header[5] = (byte) (checkSum.length & 0xFF);
+ }
+ }
+
+ public byte[] getCheckSum(byte[] data, int offset, int len) throws GSSException {
+ int confidentialFlag = header[2] & 2;
+ if (confidentialFlag == 0 && tokenType == TOKEN_WRAP_V2) {
+ header[4] = 0;
+ header[5] = 0;
+ header[6] = 0;
+ header[7] = 0;
+ }
+ return encryptor.calculateCheckSum(header, data, offset, len, keyUsage);
+ }
+
+ public boolean verifyCheckSum(byte[] data, int offset, int len) throws GSSException {
+ byte[] dataCheckSum = getCheckSum(data, offset, len);
+ return MessageDigest.isEqual(checkSum, dataCheckSum);
+ }
+
+ // Create a new header
+ private void createTokenHeader(boolean privacy) {
+ header[0] = (byte) (tokenType >>> 8);
+ header[1] = (byte) tokenType;
+
+ int flags = isInitiator ? 0 : FLAG_SENT_BY_ACCEPTOR;
+ flags |= privacy && tokenType != TOKEN_MIC_V2 ? FLAG_SEALED : 0;
+ flags |= acceptorSubKey ? FLAG_ACCEPTOR_SUBKEY : 0;
+
+ header[2] = (byte) (flags & 0xFF);
+ header[3] = (byte) 0xFF;
+
+ if (tokenType == TOKEN_WRAP_V2) {
+ header[4] = (byte) 0;
+ header[5] = (byte) 0;
+ header[6] = (byte) 0;
+ header[7] = (byte) 0;
+ } else if (tokenType == TOKEN_MIC_V2) {
+ header[4] = (byte) 0xFF;
+ header[5] = (byte) 0xFF;
+ header[6] = (byte) 0xFF;
+ header[7] = (byte) 0xFF;
+ }
+ writeBigEndian(header, 12, sequenceNumber);
+ }
+
+ // Reconstruct a token header
+ private void reconstructTokenHeader(MessageProp prop, InputStream is) throws GSSException {
+ try {
+ if (is.read(header, 0, header.length) != header.length) {
+ throw new GSSException(GSSException.FAILURE, -1, "Token header can not be read");
+ }
+ int tokenIDRecv = (((int) header[0]) << 8) + header[1];
+ if (tokenIDRecv != tokenType) {
+ throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1,
+ "Token ID should be " + tokenType + " instead of " + tokenIDRecv);
+ }
+
+ int senderFlag = isInitiator ? FLAG_SENT_BY_ACCEPTOR : 0;
+ int senderFlagRecv = header[2] & FLAG_SENT_BY_ACCEPTOR;
+ if (senderFlagRecv != senderFlag) {
+ throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid acceptor flag");
+ }
+
+ int confFlagRecv = header[2] & FLAG_SEALED;
+ if (confFlagRecv == FLAG_SEALED && tokenType == TOKEN_WRAP_V2) {
+ prop.setPrivacy(true);
+ } else {
+ prop.setPrivacy(false);
+ }
+
+ if (tokenType == TOKEN_WRAP_V2) {
+ if (header[3] != (byte) 0xFF) {
+ throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid token filler");
+ }
+
+ ec = readBigEndian(header, OFFSET_EC, 2);
+ rrc = readBigEndian(header, OFFSET_RRC, 2);
+ } else if (tokenType == TOKEN_MIC_V2) {
+ for (int i = 3; i < 8; i++) {
+ if ((header[i] & 0xFF) != 0xFF) {
+ throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid token filler");
+ }
+ }
+ }
+
+ prop.setQOP(0);
+ sequenceNumber = readBigEndian(header, 0, 8);
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Phrase token header failed");
+ }
+ }
+
+ public int encodeHeader(byte[] buf, int offset) {
+ System.arraycopy(header, 0, buf, offset, TOKEN_HEADER_SIZE);
+ return TOKEN_HEADER_SIZE;
+ }
+
+ public void encodeHeader(OutputStream os) throws IOException {
+ os.write(header);
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/c810a30d/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyUtil.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyUtil.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyUtil.java
index a5abb46..081788b 100644
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyUtil.java
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyUtil.java
@@ -21,7 +21,6 @@ package org.apache.kerby.kerberos.kerb.gssapi.krb5;
import org.apache.kerby.kerberos.kerb.KrbException;
import org.apache.kerby.kerberos.kerb.client.KrbClientBase;
-import org.apache.kerby.kerberos.kerb.request.ApRequest;
import org.apache.kerby.kerberos.kerb.type.KerberosTime;
import org.apache.kerby.kerberos.kerb.type.ad.AuthorizationData;
import org.apache.kerby.kerberos.kerb.type.ad.AuthorizationDataEntry;
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/c810a30d/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/MicTokenV2.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/MicTokenV2.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/MicTokenV2.java
new file mode 100644
index 0000000..7ba27ab
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/MicTokenV2.java
@@ -0,0 +1,94 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gssapi.krb5;
+
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.MessageProp;
+
+import java.io.IOException;
+import java.io.OutputStream;
+
+public class MicTokenV2 extends KerbyGssTokenV2 {
+ private MessageProp prop;
+
+ // This is called to construct MicToken from user input
+ MicTokenV2(KerbyContext context,
+ byte[] inMsg,
+ int msgOffset,
+ int msgLength,
+ MessageProp messageProp) throws GSSException {
+ super(TOKEN_MIC_V2, context);
+
+ prop = messageProp;
+ if (prop == null) {
+ prop = new MessageProp(0, false);
+ }
+
+ generateCheckSum(prop, inMsg, msgOffset, msgLength);
+ }
+
+ // This is called to construct MicToken from MicToken bytes
+ MicTokenV2(KerbyContext context,
+ MessageProp messageProp,
+ byte[] inToken,
+ int tokenOffset,
+ int tokenLength) throws GSSException {
+ super(TOKEN_MIC_V2, context, messageProp, inToken, tokenOffset, tokenLength);
+ this.prop = messageProp;
+ }
+
+ public int getMic(byte[] outToken, int offset) {
+ encodeHeader(outToken, offset);
+ System.arraycopy(checkSum, 0, outToken, TOKEN_HEADER_SIZE + offset, checkSum.length);
+ return TOKEN_HEADER_SIZE + checkSum.length;
+ }
+
+ /**
+ * Get bytes for this Mic token
+ * @return
+ */
+ public byte[] getMic() {
+ byte[] ret = new byte[TOKEN_HEADER_SIZE + checkSum.length];
+ getMic(ret, 0);
+ return ret;
+ }
+
+ public void getMic(OutputStream os) throws GSSException {
+ try {
+ encodeHeader(os);
+ os.write(checkSum);
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Output MicTokenV2 error:" + e.getMessage());
+ }
+ }
+
+ /**
+ * Calculate the checksum for inMsg and compare with it with this token, throw GssException if not equal
+ * @param inMsg
+ * @param msgOffset
+ * @param msgLen
+ * @throws GSSException
+ */
+ public void verify(byte[] inMsg, int msgOffset, int msgLen) throws GSSException {
+ if (!verifyCheckSum(inMsg, msgOffset, msgLen)) {
+ throw new GSSException(GSSException.BAD_MIC, -1, "Corrupt MIC token");
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/c810a30d/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/WrapTokenV2.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/WrapTokenV2.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/WrapTokenV2.java
new file mode 100644
index 0000000..3a128a9
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/WrapTokenV2.java
@@ -0,0 +1,153 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gssapi.krb5;
+
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.MessageProp;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+
+
+public class WrapTokenV2 extends KerbyGssTokenV2 {
+ private MessageProp prop;
+
+ // Generate a token from user input data
+ WrapTokenV2(KerbyContext context,
+ byte[] data,
+ int dataOffset,
+ int dataLength,
+ MessageProp messageProp) throws GSSException {
+ super(TOKEN_WRAP_V2, context);
+
+ prop = messageProp;
+
+ if (prop.getQOP() != 0) {
+ prop.setQOP(0);
+ }
+
+ if (!context.getConfState()) {
+ prop.setPrivacy(false);
+ }
+
+ generateCheckSum(prop, data, dataOffset, dataLength);
+
+ if (prop.getPrivacy()) {
+ byte[] toProcess = new byte[dataLength + TOKEN_HEADER_SIZE];
+ System.arraycopy(data, dataOffset, toProcess, 0, dataLength);
+ encodeHeader(toProcess, dataLength);
+
+ tokenData = encryptor.encryptData(toProcess, getKeyUsage());
+ } else {
+ tokenData = data; // keep it for now
+ }
+ }
+
+ /**
+ * Get bytes of the token
+ * @return
+ */
+ public byte[] wrap() {
+ int dataSize = tokenData.length;
+ int ckSize = checkSum == null ? 0 : checkSum.length;
+ byte[] ret = new byte[TOKEN_HEADER_SIZE + dataSize + ckSize];
+ encodeHeader(ret, 0);
+ System.arraycopy(tokenData, 0, ret, TOKEN_HEADER_SIZE, dataSize);
+ if (ckSize > 0) {
+ System.arraycopy(checkSum, 0, ret, TOKEN_HEADER_SIZE + dataSize, ckSize);
+ }
+ return ret;
+ }
+
+ public void wrap(OutputStream os) throws GSSException {
+ try {
+ encodeHeader(os);
+ os.write(tokenData);
+ int ckSize = checkSum == null ? 0 : checkSum.length;
+ if (ckSize > 0) {
+ os.write(checkSum);
+ }
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Output token error:" + e.getMessage());
+ }
+ }
+
+ // Reconstruct a token from token bytes
+ public WrapTokenV2(KerbyContext context, MessageProp prop, byte[] token, int offset, int len) throws GSSException {
+ super(TOKEN_WRAP_V2, context, prop, token, offset, len);
+ this.prop = prop;
+ }
+
+ // Reconstruct a token from token bytes stream
+ public WrapTokenV2(KerbyContext context, MessageProp prop, InputStream is) throws GSSException {
+ super(TOKEN_WRAP_V2, context, prop, is);
+ this.prop = prop;
+ }
+
+ /**
+ * Get plain text data from token bytes
+ * @param outBuffer
+ * @param offset
+ * @return plain text contained in the wrap token
+ * @throws GSSException
+ */
+ public byte[] unwrap(byte[] outBuffer, int offset) throws GSSException {
+ int lenToCopy;
+ if (prop.getPrivacy()) {
+ byte[] plainText = encryptor.decryptData(tokenData, getKeyUsage());
+ lenToCopy = plainText.length - TOKEN_HEADER_SIZE;
+ if (outBuffer == null) {
+ outBuffer = new byte[lenToCopy];
+ offset = 0;
+ }
+ System.arraycopy(plainText, 0, outBuffer, offset, lenToCopy);
+ } else {
+ lenToCopy = tokenData.length - encryptor.getCheckSumSize();
+ if (outBuffer == null) {
+ outBuffer = new byte[lenToCopy];
+ offset = 0;
+ }
+ System.arraycopy(tokenData, 0, outBuffer, offset, lenToCopy);
+
+ if (!verifyCheckSum(outBuffer, offset, lenToCopy)) {
+ throw new GSSException(GSSException.BAD_MIC, -1, "Corrupt token checksum");
+ }
+ }
+ return outBuffer;
+ }
+
+ public byte[] unwrap() throws GSSException {
+ return unwrap(null, 0);
+ }
+
+ public void unwrap(OutputStream os) throws GSSException {
+ byte[] data = unwrap();
+ try {
+ os.write(data);
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Output token error:" + e.getMessage());
+ }
+ }
+
+ static int getSizeLimit(int qop, boolean confReq, int maxTokSize) {
+ return maxTokSize; // TODO: to be implemented
+ }
+}
[13/50] [abbrv] directory-kerby git commit: DIRKRB-560 Implement
GSSContextSpi interface. Contributed by Wei.
Posted by co...@apache.org.
DIRKRB-560 Implement GSSContextSpi interface. Contributed by Wei.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/25dc6b88
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/25dc6b88
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/25dc6b88
Branch: refs/heads/gssapi
Commit: 25dc6b88a5b24ff2eb763b8182154e9a30c44747
Parents: c1f4c86
Author: plusplusjiajia <ji...@intel.com>
Authored: Wed Apr 27 15:56:50 2016 +0800
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 12:25:02 2017 +0100
----------------------------------------------------------------------
.../kerberos/kerb/gssapi/krb5/KerbyContext.java | 610 +++++++++++++++++++
.../kerberos/kerb/gssapi/krb5/KerbyUtil.java | 22 +-
2 files changed, 623 insertions(+), 9 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/25dc6b88/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
new file mode 100644
index 0000000..e017683
--- /dev/null
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
@@ -0,0 +1,610 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.gssapi.krb5;
+
+import com.sun.security.jgss.InquireType;
+import org.apache.kerby.kerberos.kerb.KrbException;
+import org.apache.kerby.kerberos.kerb.gssapi.KerbyMechFactory;
+import org.apache.kerby.kerberos.kerb.request.ApRequest;
+import org.apache.kerby.kerberos.kerb.response.ApResponse;
+import org.apache.kerby.kerberos.kerb.type.ad.AuthorizationData;
+import org.apache.kerby.kerberos.kerb.type.ap.ApRep;
+import org.apache.kerby.kerberos.kerb.type.ap.ApReq;
+import org.apache.kerby.kerberos.kerb.type.ap.Authenticator;
+import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
+import org.apache.kerby.kerberos.kerb.type.base.PrincipalName;
+import org.apache.kerby.kerberos.kerb.type.kdc.EncKdcRepPart;
+import org.apache.kerby.kerberos.kerb.type.ticket.EncTicketPart;
+import org.apache.kerby.kerberos.kerb.type.ticket.SgtTicket;
+import org.apache.kerby.kerberos.kerb.type.ticket.TicketFlags;
+import org.ietf.jgss.ChannelBinding;
+import org.ietf.jgss.GSSContext;
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.MessageProp;
+import org.ietf.jgss.Oid;
+import sun.security.jgss.GSSCaller;
+import sun.security.jgss.spi.GSSContextSpi;
+import sun.security.jgss.spi.GSSCredentialSpi;
+import sun.security.jgss.spi.GSSNameSpi;
+
+import javax.security.auth.kerberos.KerberosTicket;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.security.Provider;
+
+@SuppressWarnings("PMD")
+public class KerbyContext implements GSSContextSpi {
+
+ private static final int STATE_NONE = 0;
+ private static final int STATE_ESTABLISHING = 1;
+ private static final int STATE_ESTABLISHED = 2;
+ private static final int STATE_DESTROYED = 3;
+
+ private int ctxState = STATE_NONE;
+
+ private final GSSCaller caller;
+ private KerbyCredElement myCred;
+ private boolean initiator;
+ private KerbyNameElement myName;
+ private KerbyNameElement peerName;
+ private int lifeTime;
+ private ChannelBinding channelBinding;
+
+ private boolean mutualAuth = true;
+ private boolean replayDet = true;
+ private boolean sequenceDet = true;
+ private boolean credDeleg = false;
+ private boolean confState = true;
+ private boolean integState = true;
+ private boolean delegPolicy = false;
+
+ public static final int INVALID_KEY = 0;
+ public static final int SESSION_KEY = 1;
+ public static final int INITIATOR_SUBKEY = 2;
+ public static final int ACCEPTOR_SUBKEY = 4;
+ private int keyComesFrom = INVALID_KEY;
+
+ private EncryptionKey sessionKey; // used between client and app server
+ private TicketFlags ticketFlags;
+ private ApReq outApReq;
+
+ // Called on initiator's side.
+ public KerbyContext(GSSCaller caller, KerbyNameElement peerName, KerbyCredElement myCred,
+ int lifeTime)
+ throws GSSException {
+ if (peerName == null) {
+ throw new IllegalArgumentException("Cannot have null peer name");
+ }
+
+ this.caller = caller;
+ this.peerName = peerName;
+ this.myCred = myCred;
+ this.lifeTime = lifeTime;
+ this.initiator = true;
+
+ mySequenceNumberLock = new Object();
+ peerSequenceNumberLock = new Object();
+ }
+
+ public KerbyContext(GSSCaller caller, KerbyAcceptCred myCred)
+ throws GSSException {
+ this.caller = caller;
+ this.myCred = myCred;
+ this.initiator = false;
+
+ mySequenceNumberLock = new Object();
+ peerSequenceNumberLock = new Object();
+ }
+
+ public KerbyContext(GSSCaller caller, byte[] interProcessToken)
+ throws GSSException {
+ throw new GSSException(GSSException.UNAVAILABLE, -1, "Unsupported feature");
+ }
+
+ public Provider getProvider() {
+ return new org.apache.kerby.kerberos.kerb.gssapi.Provider();
+ }
+
+ public void requestLifetime(int lifeTime) throws GSSException {
+ if (ctxState == STATE_NONE && isInitiator()) {
+ this.lifeTime = lifeTime;
+ }
+ }
+
+ public void requestMutualAuth(boolean state) throws GSSException {
+ if (ctxState == STATE_NONE && isInitiator()) {
+ mutualAuth = state;
+ }
+ }
+
+ public void requestReplayDet(boolean state) throws GSSException {
+ if (ctxState == STATE_NONE && isInitiator()) {
+ replayDet = state;
+ }
+ }
+
+ public void requestSequenceDet(boolean state) throws GSSException {
+ if (ctxState == STATE_NONE && isInitiator()) {
+ replayDet = state;
+ }
+ }
+
+ public void requestCredDeleg(boolean state) throws GSSException {
+ if (ctxState == STATE_NONE && isInitiator() && myCred == null) {
+ credDeleg = state;
+ }
+ }
+
+ public void requestAnonymity(boolean state) throws GSSException {
+ // anonymous context not supported
+ }
+
+ public void requestConf(boolean state) throws GSSException {
+ if (ctxState == STATE_NONE && isInitiator()) {
+ confState = state;
+ }
+ }
+
+ public void requestInteg(boolean state) throws GSSException {
+ if (ctxState == STATE_NONE && isInitiator()) {
+ integState = state;
+ }
+ }
+
+ public void requestDelegPolicy(boolean state) throws GSSException {
+ if (ctxState == STATE_NONE && isInitiator()) {
+ delegPolicy = state;
+ }
+ }
+
+ public void setChannelBinding(ChannelBinding cb) throws GSSException {
+ this.channelBinding = cb;
+ }
+
+ public boolean getCredDelegState() {
+ return credDeleg;
+ }
+
+ public boolean getMutualAuthState() {
+ return mutualAuth;
+ }
+
+ public boolean getReplayDetState() {
+ return replayDet || sequenceDet;
+ }
+
+ public boolean getSequenceDetState() {
+ return sequenceDet;
+ }
+
+ public boolean getAnonymityState() {
+ return false;
+ }
+
+ public boolean getDelegPolicyState() {
+ return delegPolicy;
+ }
+
+ public boolean isTransferable() throws GSSException {
+ return false;
+ }
+
+ public boolean isProtReady() {
+ return ctxState == STATE_ESTABLISHED;
+ }
+
+ public boolean isInitiator() {
+ return initiator;
+ }
+
+ public boolean getConfState() {
+ return confState;
+ }
+
+ public boolean getIntegState() {
+ return integState;
+ }
+
+ public int getLifetime() {
+ return GSSContext.INDEFINITE_LIFETIME;
+ }
+
+ public boolean isEstablished() {
+ return ctxState == STATE_ESTABLISHED;
+ }
+
+ public GSSNameSpi getSrcName() throws GSSException {
+ return isInitiator() ? myName : peerName;
+ }
+
+ public GSSNameSpi getTargName() throws GSSException {
+ return !isInitiator() ? myName : peerName;
+ }
+
+ public Oid getMech() throws GSSException {
+ return KerbyMechFactory.getOid();
+ }
+
+ public GSSCredentialSpi getDelegCred() throws GSSException {
+ throw new GSSException(GSSException.FAILURE, -1, "API not implemented"); // TODO:
+ }
+
+ public byte[] initSecContext(InputStream is, int mechTokenSize)
+ throws GSSException {
+ if (!isInitiator()) {
+ throw new GSSException(GSSException.FAILURE, -1, "initSecContext called on acceptor");
+ }
+
+ byte[] ret = null;
+
+ if (ctxState == STATE_NONE) {
+
+ if (!myCred.isInitiatorCredential()) {
+ throw new GSSException(GSSException.NO_CRED, -1, "No TGT available");
+ }
+
+ // check if service ticket already exists
+ // if not, prepare to get it through TGS_REQ
+ SgtTicket sgtTicket = null;
+ String serviceName = peerName.getPrincipalName().getName();
+ myName = (KerbyNameElement) myCred.getName();
+ PrincipalName clientPrincipal = myName.getPrincipalName();
+
+ sgtTicket = KerbyUtil.getSgtCredentialFromContext(caller, clientPrincipal.getName(), serviceName);
+
+ if (sgtTicket == null) {
+ sgtTicket = KerbyUtil.applySgtCredential(((KerbyInitCred) myCred).ticket, serviceName);
+
+ // add this service credential to context
+ final KerberosTicket ticket =
+ KerbyUtil.convertKrbTicketToKerberosTicket(sgtTicket, myName.getPrincipalName().getName());
+ CredUtils.addCredentialToSubject(ticket);
+ }
+
+ ApRequest apRequest = new ApRequest(clientPrincipal, sgtTicket);
+ try {
+ outApReq = apRequest.getApReq();
+ } catch (KrbException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Generate ApReq failed: " + e.getMessage());
+ }
+ setupInitiatorContext(sgtTicket, apRequest);
+ try {
+ ret = outApReq.encode();
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Generate ApReq bytes failed: " + e.getMessage());
+ }
+
+ ctxState = STATE_ESTABLISHING;
+ if (!getMutualAuthState()) {
+ ctxState = STATE_ESTABLISHED;
+ }
+
+ } else if (ctxState == STATE_ESTABLISHING) {
+ verifyServerToken(is, mechTokenSize);
+ outApReq = null;
+ ctxState = STATE_ESTABLISHED;
+ }
+ return ret;
+ }
+
+ private void setupInitiatorContext(SgtTicket sgt, ApRequest apRequest) throws GSSException {
+ EncKdcRepPart encKdcRepPart = sgt.getEncKdcRepPart();
+ TicketFlags ticketFlags = encKdcRepPart.getFlags();
+ setTicketFlags(ticketFlags);
+
+ setAuthTime(encKdcRepPart.getAuthTime().toString());
+
+ Authenticator auth;
+ try {
+ auth = apRequest.getApReq().getAuthenticator();
+ } catch (KrbException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "ApReq failed in Initiator");
+ }
+ setMySequenceNumber(auth.getSeqNumber());
+
+ EncryptionKey subKey = auth.getSubKey();
+ if (subKey != null) {
+ setSessionKey(subKey, KerbyContext.INITIATOR_SUBKEY);
+ } else {
+ setSessionKey(sgt.getSessionKey(), KerbyContext.SESSION_KEY);
+ }
+
+ if (!getMutualAuthState()) {
+ setPeerSequenceNumber(0);
+ }
+ }
+
+ /**
+ * Verify the AP_REP from server and set context accordingly
+ * @param is
+ * @param mechTokenSize
+ * @return
+ * @throws GSSException
+ * @throws IOException
+ */
+ private void verifyServerToken(InputStream is, int mechTokenSize)
+ throws GSSException {
+ byte[] token = new byte[mechTokenSize];
+ ApRep apRep;
+ try {
+ is.read(token);
+ apRep = new ApRep();
+ apRep.decode(token);
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Invalid ApRep " + e.getMessage());
+ }
+
+ try {
+ ApResponse.validate(getSessionKey(), apRep, outApReq);
+ } catch (KrbException e) {
+ throw new GSSException(GSSException.UNAUTHORIZED, -1, "ApRep verification failed");
+ }
+
+ EncryptionKey key = apRep.getEncRepPart().getSubkey();
+ if (key != null) {
+ setSessionKey(key, ACCEPTOR_SUBKEY);
+ }
+
+ int seqNum = apRep.getEncRepPart().getSeqNumber();
+ setPeerSequenceNumber(seqNum == -1 ? 0 : seqNum);
+ }
+
+ public byte[] acceptSecContext(InputStream is, int mechTokenSize)
+ throws GSSException {
+ byte[] ret = null;
+
+ if (isInitiator()) {
+ throw new GSSException(GSSException.FAILURE, -1, "acceptSecContext called on initiator");
+ }
+
+ if (ctxState == STATE_NONE) {
+ ctxState = STATE_ESTABLISHING;
+ if (!myCred.isAcceptorCredential()) {
+ throw new GSSException(GSSException.FAILURE, -1, "No acceptor credential available");
+ }
+
+ KerbyAcceptCred acceptCred = (KerbyAcceptCred) myCred;
+ CredUtils.checkPrincipalPermission(
+ ((KerbyNameElement) acceptCred.getName()).getPrincipalName().getName(), "accept");
+
+ if (getMutualAuthState()) {
+ ret = verifyClientToken(acceptCred, is, mechTokenSize);
+ }
+
+ myCred = null;
+ ctxState = STATE_ESTABLISHED;
+ }
+
+ return ret;
+ }
+
+ private byte[] verifyClientToken(KerbyAcceptCred acceptCred, InputStream is, int mechTokenSize)
+ throws GSSException {
+ byte[] token = new byte[mechTokenSize];
+ ApReq apReq;
+ try {
+ is.read(token);
+ apReq = new ApReq();
+ apReq.decode(token);
+ } catch (IOException e) {
+ throw new GSSException(GSSException.UNAUTHORIZED, -1, "ApReq invalid" + e.getMessage());
+ }
+
+ int kvno = apReq.getTicket().getEncryptedEncPart().getKvno();
+ int encryptType = apReq.getTicket().getEncryptedEncPart().getEType().getValue();
+
+ // Get server key from credential
+ EncryptionKey serverKey = KerbyUtil.getEncryptionKey(acceptCred.getKeys(), encryptType, kvno);
+ if (serverKey == null) {
+ throw new GSSException(GSSException.FAILURE, -1, "Server key not found");
+ }
+
+ try {
+ ApRequest.validate(serverKey, apReq, channelBinding.getInitiatorAddress(), 5 * 60 * 1000);
+ } catch (KrbException e) {
+ throw new GSSException(GSSException.UNAUTHORIZED, -1, "ApReq verification failed: " + e.getMessage());
+ }
+
+ ApResponse apResponse = new ApResponse(apReq);
+ ApRep apRep;
+ try {
+ apRep = apResponse.getApRep();
+ } catch (KrbException e) {
+ throw new GSSException(GSSException.UNAUTHORIZED, -1, "Generate ApRep failed");
+ }
+
+ EncTicketPart apReqTicketEncPart = apReq.getTicket().getEncPart();
+
+ EncryptionKey ssKey = apReqTicketEncPart.getKey();
+ Authenticator auth = apReq.getAuthenticator();
+ EncryptionKey subKey = auth.getSubKey();
+
+ if (subKey != null) {
+ setSessionKey(subKey, INITIATOR_SUBKEY);
+ } else {
+ setSessionKey(ssKey, SESSION_KEY);
+ }
+
+ // initial seqNumber
+ int seqNumber = auth.getSeqNumber();
+ setMySequenceNumber(seqNumber);
+ // initial authtime, tktflags, authdata,
+ setAuthTime(apReqTicketEncPart.getAuthTime().toString());
+ setTicketFlags(apReqTicketEncPart.getFlags());
+ setAuthData(apReqTicketEncPart.getAuthorizationData());
+
+ byte[] ret = null;
+ try {
+ ret = apRep.encode();
+ } catch (IOException e) {
+ throw new GSSException(GSSException.FAILURE, -1, "Generate ApRep bytes failed:" + e.getMessage());
+ }
+ return ret;
+ }
+
+ public int getWrapSizeLimit(int qop, boolean confReq, int maxTokSize)
+ throws GSSException {
+ return 65536; // TODO: to be implemented
+ }
+
+ public void wrap(InputStream is, OutputStream os, MessageProp msgProp)
+ throws GSSException {
+ if (ctxState != STATE_ESTABLISHED) {
+ throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for wrap");
+ }
+ throw new GSSException(GSSException.UNAVAILABLE, -1, "Unsupported method"); // TODO: to be implemented
+ }
+
+ public byte[] wrap(byte[] inBuf, int offset, int len,
+ MessageProp msgProp) throws GSSException {
+ if (ctxState != STATE_ESTABLISHED) {
+ throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for wrap");
+ }
+ return null; // TODO: to be implemented
+ }
+
+ public void unwrap(InputStream is, OutputStream os,
+ MessageProp msgProp) throws GSSException {
+ throw new GSSException(GSSException.UNAVAILABLE, -1, "Unsupported method"); // TODO: to be implemented
+ }
+
+ public byte[] unwrap(byte[] inBuf, int offset, int len,
+ MessageProp msgProp) throws GSSException {
+ if (ctxState != STATE_ESTABLISHED) {
+ throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for unwrap");
+ }
+ return null; // TODO: to be implemented
+ }
+
+ public void getMIC(InputStream is, OutputStream os,
+ MessageProp msgProp)
+ throws GSSException {
+ }
+
+ public byte[] getMIC(byte[] inMsg, int offset, int len,
+ MessageProp msgProp) throws GSSException {
+ return null; // TODO: to be implemented
+ }
+
+ public void verifyMIC(InputStream is, InputStream msgStr,
+ MessageProp msgProp) throws GSSException {
+ }
+
+ public void verifyMIC(byte[]inTok, int tokOffset, int tokLen,
+ byte[] inMsg, int msgOffset, int msgLen,
+ MessageProp msgProp) throws GSSException {
+ }
+
+ public byte[] export() throws GSSException {
+ throw new GSSException(GSSException.UNAVAILABLE, -1, "Unsupported export method");
+ }
+
+ public void dispose() throws GSSException {
+ ctxState = STATE_DESTROYED;
+ setSessionKey(null, 0);
+ peerName = null;
+ myCred = null;
+ myName = null;
+ }
+
+
+ private String authTime;
+ private void setAuthTime(String authTime) {
+ this.authTime = authTime;
+ }
+
+ public Object inquireSecContext(InquireType type) throws GSSException {
+ if (ctxState != STATE_ESTABLISHED) {
+ throw new GSSException(GSSException.NO_CONTEXT, -1, "Invalid context");
+ }
+
+ switch (type) {
+ case KRB5_GET_SESSION_KEY:
+ return getSessionKey();
+ case KRB5_GET_TKT_FLAGS:
+ return KerbyUtil.ticketFlagsToBooleans(ticketFlags);
+ case KRB5_GET_AUTHZ_DATA:
+ if (isInitiator()) {
+ throw new GSSException(GSSException.UNAVAILABLE, -1,
+ "Authorization data not available for initiator");
+ } else {
+ return KerbyUtil.kerbyAuthorizationDataToJgssAuthorizationDataEntries(authData);
+ }
+ case KRB5_GET_AUTHTIME:
+ return authTime;
+ }
+ throw new GSSException(GSSException.UNAVAILABLE, -1, "Unsupported inquire type");
+ }
+
+
+ // functions not belong to SPI
+ private void setSessionKey(EncryptionKey encryptionKey, int keyComesFrom) {
+ this.sessionKey = encryptionKey;
+ this.keyComesFrom = keyComesFrom;
+ }
+
+ public int getKeyComesFrom() {
+ return keyComesFrom;
+ }
+
+ private EncryptionKey getSessionKey() {
+ return sessionKey;
+ }
+
+ private void setTicketFlags(TicketFlags ticketFlags) {
+ this.ticketFlags = ticketFlags;
+ }
+
+ private AuthorizationData authData;
+ private void setAuthData(AuthorizationData authData) {
+ this.authData = authData;
+ }
+
+
+ private int mySequenceNumber;
+ private int peerSequenceNumber;
+ private Object mySequenceNumberLock;
+ private Object peerSequenceNumberLock;
+
+ public void setMySequenceNumber(int sequenceNumber) {
+ synchronized (mySequenceNumberLock) {
+ mySequenceNumber = sequenceNumber;
+ }
+ }
+
+ public int incMySequenceNumber() {
+ synchronized (mySequenceNumberLock) {
+ return mySequenceNumber++;
+ }
+ }
+
+ public void setPeerSequenceNumber(int sequenceNumber) {
+ synchronized (peerSequenceNumberLock) {
+ peerSequenceNumber = sequenceNumber;
+ }
+ }
+
+ public int incPeerSequenceNumber() {
+ synchronized (peerSequenceNumberLock) {
+ return peerSequenceNumber++;
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/25dc6b88/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyUtil.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyUtil.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyUtil.java
index 61eeb8d..a5abb46 100644
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyUtil.java
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyUtil.java
@@ -38,6 +38,7 @@ import org.apache.kerby.kerberos.kerb.type.ticket.TgtTicket;
import org.apache.kerby.kerberos.kerb.type.ticket.Ticket;
import org.apache.kerby.kerberos.kerb.type.ticket.TicketFlags;
import org.ietf.jgss.GSSException;
+import sun.security.jgss.GSSCaller;
import javax.crypto.SecretKey;
import javax.security.auth.kerberos.KerberosKey;
@@ -183,6 +184,18 @@ public class KerbyUtil {
}
/**
+ * Scan current context for SgtTicket
+ * @param client
+ * @param service
+ * @return
+ */
+ public static SgtTicket getSgtCredentialFromContext(GSSCaller caller, String client, String service)
+ throws GSSException {
+ KerberosTicket ticket = CredUtils.getKerberosTicketFromContext(caller, client, service);
+ return getSgtTicketFromKerberosTicket(ticket);
+ }
+
+ /**
* Construct a SgtTicket from KerberosTicket
* @param kerberosTicket
* @return
@@ -284,15 +297,6 @@ public class KerbyUtil {
return ticket;
}
- public static byte[] getAPRequest(PrincipalName clientPricipal, SgtTicket sgt) throws GSSException {
- ApRequest apRequest = new ApRequest(clientPricipal, sgt);
- try {
- return apRequest.getApReq().encode();
- } catch (Exception e) { // IOExcetpion, KrbException
- throw new GSSException(GSSException.FAILURE, -1, "Generate ApReq failed: " + e.getMessage());
- }
- }
-
public static KrbClientBase getKrbClient() {
KrbClientBase client;
try {
[28/50] [abbrv] directory-kerby git commit: Refactoring the package
and structure
Posted by co...@apache.org.
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8432c1a8/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyUtil.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyUtil.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyUtil.java
deleted file mode 100644
index 081788b..0000000
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyUtil.java
+++ /dev/null
@@ -1,386 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.kerberos.kerb.gssapi.krb5;
-
-import org.apache.kerby.kerberos.kerb.KrbException;
-import org.apache.kerby.kerberos.kerb.client.KrbClientBase;
-import org.apache.kerby.kerberos.kerb.type.KerberosTime;
-import org.apache.kerby.kerberos.kerb.type.ad.AuthorizationData;
-import org.apache.kerby.kerberos.kerb.type.ad.AuthorizationDataEntry;
-import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
-import org.apache.kerby.kerberos.kerb.type.base.HostAddress;
-import org.apache.kerby.kerberos.kerb.type.base.HostAddresses;
-import org.apache.kerby.kerberos.kerb.type.base.PrincipalName;
-import org.apache.kerby.kerberos.kerb.type.kdc.EncAsRepPart;
-import org.apache.kerby.kerberos.kerb.type.kdc.EncKdcRepPart;
-import org.apache.kerby.kerberos.kerb.type.kdc.EncTgsRepPart;
-import org.apache.kerby.kerberos.kerb.type.ticket.KrbTicket;
-import org.apache.kerby.kerberos.kerb.type.ticket.SgtTicket;
-import org.apache.kerby.kerberos.kerb.type.ticket.TgtTicket;
-import org.apache.kerby.kerberos.kerb.type.ticket.Ticket;
-import org.apache.kerby.kerberos.kerb.type.ticket.TicketFlags;
-import org.ietf.jgss.GSSException;
-import sun.security.jgss.GSSCaller;
-
-import javax.crypto.SecretKey;
-import javax.security.auth.kerberos.KerberosKey;
-import javax.security.auth.kerberos.KerberosPrincipal;
-import javax.security.auth.kerberos.KerberosTicket;
-import java.io.File;
-import java.io.IOException;
-import java.net.InetAddress;
-import java.net.UnknownHostException;
-import java.nio.ByteBuffer;
-import java.security.AccessController;
-import java.security.PrivilegedActionException;
-import java.security.PrivilegedExceptionAction;
-import java.util.Date;
-import java.util.List;
-
-/**
- * Some utility functions to translate types between GSS and Kerby
- */
-public class KerbyUtil {
- private static final int KERBEROS_TICKET_NUM_FLAGS = 32; // KerberosTicket.NUM_LENGTH
-
- /**
- * Construct TgtTicket from info contained in KerberosTicket
- * @param kerberosTicket
- * @return
- * @throws GSSException
- */
- public static TgtTicket getTgtTicketFromKerberosTicket(KerberosTicket kerberosTicket) throws GSSException {
- String clientName = kerberosTicket.getClient().getName();
- PrincipalName clientPrincipal = new PrincipalName(clientName);
-
- byte[] asn1Encoded = kerberosTicket.getEncoded();
- Ticket ticket = getTicketFromAsn1Encoded(asn1Encoded);
-
- EncAsRepPart encAsRepPart = new EncAsRepPart();
- fillEncKdcRepPart(encAsRepPart, kerberosTicket);
-
- TgtTicket tgt = new TgtTicket(ticket, encAsRepPart, clientPrincipal);
- return tgt;
- }
-
- /**
- * Init encKdcRepPart members with info from kerberosTicket
- * @param encKdcRepPart
- * @param kerberosTicket
- */
- public static void fillEncKdcRepPart(EncKdcRepPart encKdcRepPart, KerberosTicket kerberosTicket) {
- String clientName = kerberosTicket.getClient().getName();
- PrincipalName clientPrincipal = new PrincipalName(clientName);
-
- SecretKey secretKey = kerberosTicket.getSessionKey();
- int keyType = kerberosTicket.getSessionKeyType();
- EncryptionKey key = new EncryptionKey(keyType, secretKey.getEncoded());
- encKdcRepPart.setKey(key);
-
- encKdcRepPart.setSname(clientPrincipal);
- Date authTimeDate = kerberosTicket.getAuthTime();
- if (authTimeDate != null) {
- encKdcRepPart.setAuthTime(new KerberosTime(authTimeDate.getTime()));
- }
- Date startTimeDate = kerberosTicket.getStartTime();
- if (startTimeDate != null) {
- encKdcRepPart.setStartTime(new KerberosTime(startTimeDate.getTime()));
- }
- KerberosTime endTime = new KerberosTime(kerberosTicket.getEndTime().getTime());
- encKdcRepPart.setEndTime(endTime);
-
-
- InetAddress[] clientAddresses = kerberosTicket.getClientAddresses();
- HostAddresses hostAddresses = null;
- if (clientAddresses != null) {
- hostAddresses = new HostAddresses();
- for (InetAddress iAddr : clientAddresses) {
- hostAddresses.add(new HostAddress(iAddr));
- }
- }
- encKdcRepPart.setCaddr(hostAddresses);
-
- boolean[] tf = kerberosTicket.getFlags();
- TicketFlags ticketFlags = getTicketFlags(tf);
- encKdcRepPart.setFlags(ticketFlags);
-
-
- /* encKdcRepPart.setKeyExpiration();
- encKdcRepPart.setLastReq();
- encKdcRepPart.setNonce(); */
-
- Date renewTillDate = kerberosTicket.getRenewTill();
- KerberosTime renewTill = renewTillDate == null ? null : new KerberosTime(renewTillDate.getTime());
- encKdcRepPart.setRenewTill(renewTill);
-
- String serverRealm = kerberosTicket.getServer().getRealm();
- encKdcRepPart.setSrealm(serverRealm);
- }
-
- /**
- * Generate TicketFlags instance from flags
- * @param flags each item in flags identifies an bit setted or not
- * @return
- */
- public static TicketFlags getTicketFlags(boolean[] flags) {
- if (flags == null || flags.length != KERBEROS_TICKET_NUM_FLAGS) {
- return null;
- }
- int value = 0;
- for (boolean flag : flags) {
- value = (value << 1) + (flag ? 1 : 0);
- }
- return new TicketFlags(value);
- }
-
- /**
- * Decode each flag in ticketFlags into an boolean array
- * @param ticketFlags
- * @return
- */
- public static boolean[] ticketFlagsToBooleans(TicketFlags ticketFlags) {
- boolean[] ret = new boolean[KERBEROS_TICKET_NUM_FLAGS];
- int value = ticketFlags.getFlags();
- for (int i = 0; i < KERBEROS_TICKET_NUM_FLAGS; i++) {
- ret[KERBEROS_TICKET_NUM_FLAGS - i - 1] = (value & 0x1) != 0;
- value = value >> 1;
- }
- return ret;
- }
-
- /**
- * Construct a Ticket from bytes encoded by Asn1
- * @param encoded
- * @return
- * @throws GSSException
- */
- public static Ticket getTicketFromAsn1Encoded(byte[] encoded) throws GSSException {
- Ticket ticket = new Ticket();
- ByteBuffer byteBuffer = ByteBuffer.wrap(encoded);
- try {
- ticket.decode(byteBuffer);
- return ticket;
- } catch (IOException e) {
- throw new GSSException(GSSException.FAILURE, -1, e.getMessage());
- }
- }
-
- /**
- * Scan current context for SgtTicket
- * @param client
- * @param service
- * @return
- */
- public static SgtTicket getSgtCredentialFromContext(GSSCaller caller, String client, String service)
- throws GSSException {
- KerberosTicket ticket = CredUtils.getKerberosTicketFromContext(caller, client, service);
- return getSgtTicketFromKerberosTicket(ticket);
- }
-
- /**
- * Construct a SgtTicket from KerberosTicket
- * @param kerberosTicket
- * @return
- * @throws GSSException
- */
- public static SgtTicket getSgtTicketFromKerberosTicket(KerberosTicket kerberosTicket) throws GSSException {
- if (kerberosTicket == null) {
- return null;
- }
-
- Ticket ticket = getTicketFromAsn1Encoded(kerberosTicket.getEncoded());
-
- EncTgsRepPart encTgsRepPart = new EncTgsRepPart();
- fillEncKdcRepPart(encTgsRepPart, kerberosTicket);
-
- SgtTicket sgt = new SgtTicket(ticket, encTgsRepPart);
- return sgt;
- }
-
- /**
- * Apply SgtTicket by sending TGS_REQ to KDC
- * @param ticket
- * @param service
- * @return
- */
- public static SgtTicket applySgtCredential(KerberosTicket ticket, String service) throws GSSException {
- TgtTicket tgt = getTgtTicketFromKerberosTicket(ticket);
- return applySgtCredential(tgt, service);
- }
-
- public static SgtTicket applySgtCredential(TgtTicket tgt, String server) throws GSSException {
- KrbClientBase client = getKrbClient();
-
- SgtTicket sgt = null;
- try {
- client.init();
- sgt = client.requestSgt(tgt, server);
- return sgt;
- } catch (KrbException e) {
- throw new GSSException(GSSException.FAILURE, -1, e.getMessage());
- }
- }
-
- public static KerberosTicket convertKrbTicketToKerberosTicket(KrbTicket krbTicket, String clientName)
- throws GSSException {
- byte[] asn1Encoding;
- try {
- asn1Encoding = krbTicket.getTicket().encode();
- } catch (IOException e) {
- throw new GSSException(GSSException.FAILURE, -1, e.getMessage());
- }
-
- byte[] sessionKey = krbTicket.getSessionKey().getKeyData();
- int keyType = krbTicket.getSessionKey().getKeyType().getValue();
-
- EncKdcRepPart encKdcRepPart = krbTicket.getEncKdcRepPart();
- KerberosPrincipal client = new KerberosPrincipal(clientName);
-
- PrincipalName serverPrinc = krbTicket.getTicket().getSname();
- String serverName = serverPrinc.getName() + "@" + krbTicket.getTicket().getRealm();
- KerberosPrincipal server = new KerberosPrincipal(serverName, serverPrinc.getNameType().getValue());
-
- TicketFlags ticketFlags = encKdcRepPart.getFlags();
- boolean[] flags = ticketFlagsToBooleans(ticketFlags);
-
- Date authTime = new Date(encKdcRepPart.getAuthTime().getTime());
- Date startTime = new Date(encKdcRepPart.getStartTime().getTime());
- Date endTime = new Date(encKdcRepPart.getEndTime().getTime());
- Date renewTill = new Date(encKdcRepPart.getRenewTill().getTime());
-
- InetAddress[] clientAddresses = null;
- List<HostAddress> hostAddresses = encKdcRepPart.getCaddr().getElements();
- if (hostAddresses != null) {
- int i = 0;
- clientAddresses = new InetAddress[hostAddresses.size()];
- for (HostAddress hostAddr : hostAddresses) {
- try {
- InetAddress iAddr = InetAddress.getByAddress(hostAddr.getAddress());
- clientAddresses[i++] = iAddr;
- } catch (UnknownHostException e) {
- throw new GSSException(GSSException.FAILURE, -1, "Bad client address");
- }
- }
- }
-
- KerberosTicket ticket = new KerberosTicket(
- asn1Encoding,
- client,
- server,
- sessionKey,
- keyType,
- flags,
- authTime,
- startTime,
- endTime,
- renewTill,
- clientAddresses
- );
- return ticket;
- }
-
- public static KrbClientBase getKrbClient() {
- KrbClientBase client;
- try {
- File confSpecified = new File(getSystemProperty("java.security.krb5.conf"));
- if (confSpecified != null) {
- client = new KrbClientBase(confSpecified);
- } else {
- client = new KrbClientBase(); // get configure file from environment variable or default path
- }
-
- return client;
- } catch (KrbException e) {
- return null;
- }
- }
-
- public static EncryptionKey[] convertKerberosKeyToEncryptionKey(KerberosKey[] krbKeys) {
- if (krbKeys == null) {
- return null;
- }
- EncryptionKey[] keys = new EncryptionKey[krbKeys.length];
- int i = 0;
- for (KerberosKey krbKey : krbKeys) {
- keys[i++] = new EncryptionKey(krbKey.getKeyType(), krbKey.getEncoded());
- }
- return keys;
- }
-
- /**
- * Filter out an appropriate KerberosKey from krbKeys and generate a
- * EncryptionKey accordingly
- *
- * @param krbKeys
- * @param encType
- * @param kvno
- * @return
- */
- public static EncryptionKey getEncryptionKey(KerberosKey[] krbKeys, int encType, int kvno) {
- if (krbKeys == null) {
- return null;
- }
- for (KerberosKey krbKey : krbKeys) {
- if (krbKey.getKeyType() == encType && krbKey.getVersionNumber() == kvno && !krbKey.isDestroyed()) {
- return new EncryptionKey(krbKey.getKeyType(), krbKey.getEncoded());
- }
- }
- return null;
- }
-
- /**
- * Get value of predefined system property
- * @param name
- * @return
- */
- private static String getSystemProperty(String name) {
- if (name == null) {
- return null;
- }
-
- final String propertyName = name;
- try {
- return AccessController.doPrivileged(
- new PrivilegedExceptionAction<String>() {
- public String run() {
- return System.getProperty(propertyName);
- }
- });
- } catch (PrivilegedActionException e) {
- return null; // ignored
- }
- }
-
- public static com.sun.security.jgss.AuthorizationDataEntry[]
- kerbyAuthorizationDataToJgssAuthorizationDataEntries(AuthorizationData authData) {
- if (authData == null) {
- return null;
- }
- List<AuthorizationDataEntry> kerbyEntries = authData.getElements();
- com.sun.security.jgss.AuthorizationDataEntry[] entries =
- new com.sun.security.jgss.AuthorizationDataEntry[kerbyEntries.size()];
- for (int i = 0; i < kerbyEntries.size(); i++) {
- entries[i] = new com.sun.security.jgss.AuthorizationDataEntry(
- kerbyEntries.get(i).getAuthzType().getValue(),
- kerbyEntries.get(i).getAuthzData());
- }
- return entries;
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8432c1a8/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/MicTokenV1.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/MicTokenV1.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/MicTokenV1.java
deleted file mode 100644
index 6a76e4c..0000000
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/MicTokenV1.java
+++ /dev/null
@@ -1,92 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.kerberos.kerb.gssapi.krb5;
-
-import org.ietf.jgss.GSSException;
-import org.ietf.jgss.MessageProp;
-
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
-
-public class MicTokenV1 extends KerbyGssTokenV1 {
- public MicTokenV1(KerbyContext context,
- byte[] inMsg,
- int msgOffset,
- int msgLength,
- MessageProp messageProp) throws GSSException {
- super(TOKEN_MIC_V1, context);
- calcPrivacyInfo(messageProp, null, inMsg, msgOffset, msgLength, 0);
- }
-
- // This is called to construct MicToken from MicToken bytes
- MicTokenV1(KerbyContext context,
- MessageProp messageProp,
- byte[] inToken,
- int tokenOffset,
- int tokenLength) throws GSSException {
- super(TOKEN_MIC_V1, context, messageProp, inToken, tokenOffset, tokenLength);
- }
-
- public int getMic(byte[] outToken, int offset) throws GSSException, IOException {
- byte[] data = getMic();
- System.arraycopy(data, 0, outToken, offset, data.length);
- return data.length;
- }
-
- /**
- * Get bytes for this Mic token
- * @return
- */
- public byte[] getMic() throws GSSException {
- ByteArrayOutputStream os = new ByteArrayOutputStream(64);
- getMic(os);
- return os.toByteArray();
- }
-
- public void getMic(OutputStream os) throws GSSException {
- try {
- encodeHeader(os);
- } catch (IOException e) {
- throw new GSSException(GSSException.FAILURE, -1, "Error in output MicTokenV1 bytes:" + e.getMessage());
- }
- }
-
- public void verify(InputStream is) throws GSSException {
- byte[] data;
- try {
- data = new byte[is.available()];
- is.read(data);
- } catch (IOException e) {
- throw new GSSException(GSSException.FAILURE, -1,
- "Read plain data for MicTokenV1 error:" + e.getMessage());
- }
- verify(data, 0, data.length);
- }
-
- public void verify(byte[] data, int offset, int len) throws GSSException {
- verifyToken(null, data, offset, len, 0);
- }
-
- protected int getTokenSizeWithoutGssHeader() {
- return getTokenHeaderSize();
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8432c1a8/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/MicTokenV2.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/MicTokenV2.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/MicTokenV2.java
deleted file mode 100644
index 7ba27ab..0000000
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/MicTokenV2.java
+++ /dev/null
@@ -1,94 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.kerberos.kerb.gssapi.krb5;
-
-import org.ietf.jgss.GSSException;
-import org.ietf.jgss.MessageProp;
-
-import java.io.IOException;
-import java.io.OutputStream;
-
-public class MicTokenV2 extends KerbyGssTokenV2 {
- private MessageProp prop;
-
- // This is called to construct MicToken from user input
- MicTokenV2(KerbyContext context,
- byte[] inMsg,
- int msgOffset,
- int msgLength,
- MessageProp messageProp) throws GSSException {
- super(TOKEN_MIC_V2, context);
-
- prop = messageProp;
- if (prop == null) {
- prop = new MessageProp(0, false);
- }
-
- generateCheckSum(prop, inMsg, msgOffset, msgLength);
- }
-
- // This is called to construct MicToken from MicToken bytes
- MicTokenV2(KerbyContext context,
- MessageProp messageProp,
- byte[] inToken,
- int tokenOffset,
- int tokenLength) throws GSSException {
- super(TOKEN_MIC_V2, context, messageProp, inToken, tokenOffset, tokenLength);
- this.prop = messageProp;
- }
-
- public int getMic(byte[] outToken, int offset) {
- encodeHeader(outToken, offset);
- System.arraycopy(checkSum, 0, outToken, TOKEN_HEADER_SIZE + offset, checkSum.length);
- return TOKEN_HEADER_SIZE + checkSum.length;
- }
-
- /**
- * Get bytes for this Mic token
- * @return
- */
- public byte[] getMic() {
- byte[] ret = new byte[TOKEN_HEADER_SIZE + checkSum.length];
- getMic(ret, 0);
- return ret;
- }
-
- public void getMic(OutputStream os) throws GSSException {
- try {
- encodeHeader(os);
- os.write(checkSum);
- } catch (IOException e) {
- throw new GSSException(GSSException.FAILURE, -1, "Output MicTokenV2 error:" + e.getMessage());
- }
- }
-
- /**
- * Calculate the checksum for inMsg and compare with it with this token, throw GssException if not equal
- * @param inMsg
- * @param msgOffset
- * @param msgLen
- * @throws GSSException
- */
- public void verify(byte[] inMsg, int msgOffset, int msgLen) throws GSSException {
- if (!verifyCheckSum(inMsg, msgOffset, msgLen)) {
- throw new GSSException(GSSException.BAD_MIC, -1, "Corrupt MIC token");
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8432c1a8/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/WrapTokenV1.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/WrapTokenV1.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/WrapTokenV1.java
deleted file mode 100644
index 8ecdae4..0000000
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/WrapTokenV1.java
+++ /dev/null
@@ -1,196 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.kerberos.kerb.gssapi.krb5;
-
-import org.apache.kerby.kerberos.kerb.crypto.util.Random;
-import org.ietf.jgss.GSSException;
-import org.ietf.jgss.MessageProp;
-import sun.security.jgss.GSSHeader;
-
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
-
-public class WrapTokenV1 extends KerbyGssTokenV1 {
- public static final int CONFOUNDER_SIZE = 8;
-
- private boolean privacy;
-
- private byte[] inData;
- private int inOffset;
- private int inLen;
-
- private int paddingLen;
- private byte[] confounder;
- private int tokenBodyLen;
-
- private byte[] bodyData;
- private int bodyOffset;
- private int bodyLen;
-
- // for reconstruct
- private int rawDataLength;
- private byte[] rawData;
- private int rawDataOffset;
-
-
- // Generate wrap token according user data
- public WrapTokenV1(KerbyContext context,
- byte[] inMsg,
- int msgOffset,
- int msgLength,
- MessageProp prop) throws GSSException {
- super(TOKEN_WRAP_V1, context);
-
- paddingLen = getPaddingLength(msgLength);
- confounder = Random.makeBytes(CONFOUNDER_SIZE);
- tokenBodyLen = CONFOUNDER_SIZE + msgLength + paddingLen;
-
- calcPrivacyInfo(prop, confounder, inMsg, msgOffset, msgLength, paddingLen);
-
- if (!context.getConfState()) {
- prop.setPrivacy(false);
- }
- privacy = prop.getPrivacy();
- inData = inMsg;
- inOffset = msgOffset;
- inLen = msgLength;
- }
-
- // Reconstruct a token from token bytes
- public WrapTokenV1(KerbyContext context, MessageProp prop,
- byte[] token, int offset, int len) throws GSSException {
- super(TOKEN_WRAP_V1, context, prop, token, offset, len);
- // adjust the offset to the beginning of the body
- bodyData = token;
- bodyOffset = offset + reconHeaderLen;
- bodyLen = len - reconHeaderLen;
- getRawData(prop);
- }
-
- // Reconstruct a token from token bytes stream
- public WrapTokenV1(KerbyContext context, MessageProp prop, InputStream is) throws GSSException {
- super(TOKEN_WRAP_V1, context, prop, is);
- byte[] token;
- int len;
- try {
- len = is.available();
- token = new byte[len];
- is.read(token);
- } catch (IOException e) {
- throw new GSSException(GSSException.FAILURE, -1, "Read wrap token V1 error:" + e.getMessage());
- }
- bodyData = token;
- bodyOffset = 0;
- bodyLen = len;
- getRawData(prop);
- }
-
- private void getRawData(MessageProp prop) throws GSSException {
- privacy = prop.getPrivacy();
- tokenBodyLen = getGssHeader().getMechTokenLength() - getTokenHeaderSize();
-
- if (bodyLen < tokenBodyLen) {
- throw new GSSException(GSSException.FAILURE, -1, "Insufficient data for Wrap token V1");
- }
-
- if (privacy) {
- rawData = encryptor.encryptTokenV1(null, bodyData, bodyOffset, tokenBodyLen, 0,
- encryptor.isArcFourHmac() ? getPlainSequenceBytes() : null, false);
- paddingLen = rawData[rawData.length - 1];
- rawDataOffset = CONFOUNDER_SIZE;
- } else {
- rawData = bodyData;
- paddingLen = bodyData[bodyOffset + tokenBodyLen - 1];
- rawDataOffset = bodyOffset + CONFOUNDER_SIZE;
- }
- rawDataLength = tokenBodyLen - CONFOUNDER_SIZE - paddingLen;
-
- verifyToken(null, rawData, rawDataOffset - CONFOUNDER_SIZE, tokenBodyLen, 0);
- }
-
- // Get plain text data from token data bytes
- public byte[] unwrap() throws GSSException {
- byte[] ret = new byte[rawDataLength];
- System.arraycopy(rawData, rawDataOffset, ret, 0, rawDataLength);
- return ret;
- }
-
- public void unwrap(OutputStream os) throws GSSException {
- try {
- os.write(rawData, rawDataOffset, rawDataLength);
- } catch (IOException e) {
- throw new GSSException(GSSException.FAILURE, -1,
- "Error in output wrap token v1 data bytes:" + e.getMessage());
- }
- }
-
- public byte[] wrap() throws GSSException {
- ByteArrayOutputStream os = new ByteArrayOutputStream(getTokenSizeWithoutGssHeader() + inLen + 64);
- wrap(os);
- return os.toByteArray();
- }
-
- public void wrap(OutputStream os) throws GSSException {
- try {
- encodeHeader(os);
- if (privacy) {
- byte[] enc = encryptor.encryptTokenV1(confounder, inData, inOffset, inLen, paddingLen,
- encryptor.isArcFourHmac() ? getPlainSequenceBytes() : null, true);
- os.write(enc);
- } else {
- os.write(confounder);
- os.write(inData, inOffset, inLen);
- os.write(getPaddingBytes(paddingLen));
- }
- } catch (IOException e) {
- throw new GSSException(GSSException.FAILURE, -1, "Error in output wrap token v1 bytes:" + e.getMessage());
- }
- }
-
- protected int getTokenSizeWithoutGssHeader() {
- return tokenBodyLen + getTokenHeaderSize();
- }
-
- private int getPaddingLength(int dataLen) {
- if (encryptor.isArcFourHmac()) {
- return 1;
- }
- return 8 - (dataLen % 8);
- }
-
- private byte[] getPaddingBytes(int len) {
- byte[] ret = new byte[len];
- int i = 0;
- while (i < len) {
- ret[i++] = (byte) len;
- }
- return ret;
- }
-
- public static int getMsgSizeLimit(int qop, boolean confReq, int maxTokSize, KerbyGssEncryptor encryptor)
- throws GSSException {
- return GSSHeader.getMaxMechTokenSize(objId, maxTokSize)
- - encryptor.getCheckSumSize()
- - TOKEN_HEADER_COMM_SIZE - TOKEN_HEADER_SEQ_SIZE
- - CONFOUNDER_SIZE - 8;
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8432c1a8/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/WrapTokenV2.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/WrapTokenV2.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/WrapTokenV2.java
deleted file mode 100644
index 57f9e45..0000000
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/WrapTokenV2.java
+++ /dev/null
@@ -1,158 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.kerberos.kerb.gssapi.krb5;
-
-import org.ietf.jgss.GSSException;
-import org.ietf.jgss.MessageProp;
-
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
-
-
-public class WrapTokenV2 extends KerbyGssTokenV2 {
- private MessageProp prop;
-
- // Generate a token from user input data
- WrapTokenV2(KerbyContext context,
- byte[] data,
- int dataOffset,
- int dataLength,
- MessageProp messageProp) throws GSSException {
- super(TOKEN_WRAP_V2, context);
-
- prop = messageProp;
-
- if (prop.getQOP() != 0) {
- prop.setQOP(0);
- }
-
- if (!context.getConfState()) {
- prop.setPrivacy(false);
- }
-
- generateCheckSum(prop, data, dataOffset, dataLength);
-
- if (prop.getPrivacy()) {
- byte[] toProcess = new byte[dataLength + TOKEN_HEADER_SIZE];
- System.arraycopy(data, dataOffset, toProcess, 0, dataLength);
- encodeHeader(toProcess, dataLength);
-
- tokenData = encryptor.encryptData(toProcess, getKeyUsage());
- } else {
- tokenData = data; // keep it for now
- }
- }
-
- /**
- * Get bytes of the token
- * @return
- */
- public byte[] wrap() {
- int dataSize = tokenData.length;
- int ckSize = checkSum == null ? 0 : checkSum.length;
- byte[] ret = new byte[TOKEN_HEADER_SIZE + dataSize + ckSize];
- encodeHeader(ret, 0);
- System.arraycopy(tokenData, 0, ret, TOKEN_HEADER_SIZE, dataSize);
- if (ckSize > 0) {
- System.arraycopy(checkSum, 0, ret, TOKEN_HEADER_SIZE + dataSize, ckSize);
- }
- return ret;
- }
-
- public void wrap(OutputStream os) throws GSSException {
- try {
- encodeHeader(os);
- os.write(tokenData);
- int ckSize = checkSum == null ? 0 : checkSum.length;
- if (ckSize > 0) {
- os.write(checkSum);
- }
- } catch (IOException e) {
- throw new GSSException(GSSException.FAILURE, -1, "Output token error:" + e.getMessage());
- }
- }
-
- // Reconstruct a token from token bytes
- public WrapTokenV2(KerbyContext context, MessageProp prop, byte[] token, int offset, int len) throws GSSException {
- super(TOKEN_WRAP_V2, context, prop, token, offset, len);
- this.prop = prop;
- }
-
- // Reconstruct a token from token bytes stream
- public WrapTokenV2(KerbyContext context, MessageProp prop, InputStream is) throws GSSException {
- super(TOKEN_WRAP_V2, context, prop, is);
- this.prop = prop;
- }
-
- /**
- * Get plain text data from token bytes
- * @param outBuffer
- * @param offset
- * @return plain text contained in the wrap token
- * @throws GSSException
- */
- public byte[] unwrap(byte[] outBuffer, int offset) throws GSSException {
- int lenToCopy;
- if (prop.getPrivacy()) {
- byte[] plainText = encryptor.decryptData(tokenData, getKeyUsage());
- lenToCopy = plainText.length - TOKEN_HEADER_SIZE;
- if (outBuffer == null) {
- outBuffer = new byte[lenToCopy];
- offset = 0;
- }
- System.arraycopy(plainText, 0, outBuffer, offset, lenToCopy);
- } else {
- lenToCopy = tokenData.length - encryptor.getCheckSumSize();
- if (outBuffer == null) {
- outBuffer = new byte[lenToCopy];
- offset = 0;
- }
- System.arraycopy(tokenData, 0, outBuffer, offset, lenToCopy);
-
- if (!verifyCheckSum(outBuffer, offset, lenToCopy)) {
- throw new GSSException(GSSException.BAD_MIC, -1, "Corrupt token checksum");
- }
- }
- return outBuffer;
- }
-
- public byte[] unwrap() throws GSSException {
- return unwrap(null, 0);
- }
-
- public void unwrap(OutputStream os) throws GSSException {
- byte[] data = unwrap();
- try {
- os.write(data);
- } catch (IOException e) {
- throw new GSSException(GSSException.FAILURE, -1, "Output token error:" + e.getMessage());
- }
- }
-
- public static int getMsgSizeLimit(int qop, boolean confReq, int maxTokSize, KerbyGssEncryptor encryptor)
- throws GSSException {
- if (confReq) {
- return maxTokSize - encryptor.getCheckSumSize() - TOKEN_HEADER_SIZE * 2 - CONFOUNDER_SIZE;
- } else {
- return maxTokSize - encryptor.getCheckSumSize() - TOKEN_HEADER_SIZE;
- }
- }
-}
[40/50] [abbrv] directory-kerby git commit: Updating Apache DS
Posted by co...@apache.org.
Updating Apache DS
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/de7c8a91
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/de7c8a91
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/de7c8a91
Branch: refs/heads/gssapi
Commit: de7c8a91f1a9d2f3973d6b848934f1393403cfe8
Parents: 44db321
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Tue Jun 28 15:21:54 2016 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 12:25:51 2017 +0100
----------------------------------------------------------------------
.../kerby/kerberos/kdc/identitybackend/LdapIdentityBackend.java | 2 ++
pom.xml | 4 ++--
2 files changed, 4 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/de7c8a91/kerby-backend/ldap-backend/src/main/java/org/apache/kerby/kerberos/kdc/identitybackend/LdapIdentityBackend.java
----------------------------------------------------------------------
diff --git a/kerby-backend/ldap-backend/src/main/java/org/apache/kerby/kerberos/kdc/identitybackend/LdapIdentityBackend.java b/kerby-backend/ldap-backend/src/main/java/org/apache/kerby/kerberos/kdc/identitybackend/LdapIdentityBackend.java
index 99ba85d..21fb731 100644
--- a/kerby-backend/ldap-backend/src/main/java/org/apache/kerby/kerberos/kdc/identitybackend/LdapIdentityBackend.java
+++ b/kerby-backend/ldap-backend/src/main/java/org/apache/kerby/kerberos/kdc/identitybackend/LdapIdentityBackend.java
@@ -343,6 +343,8 @@ public class LdapIdentityBackend extends AbstractIdentityBackend {
e.printStackTrace();
} catch (CursorException e) {
e.printStackTrace();
+ } catch (IOException e) {
+ e.printStackTrace();
}
return identityNames;
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/de7c8a91/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index 3aeef2a..2a96ed5 100644
--- a/pom.xml
+++ b/pom.xml
@@ -47,11 +47,11 @@
</distributionManagement>
<properties>
- <apacheds.version>2.0.0-M21</apacheds.version>
+ <apacheds.version>2.0.0-M22</apacheds.version>
<bouncycastle.version>1.54</bouncycastle.version>
<commons-io.version>2.5</commons-io.version>
<gson.version>2.6.2</gson.version>
- <ldap.api.version>1.0.0-M33</ldap.api.version>
+ <ldap.api.version>1.0.0-RC1</ldap.api.version>
<log4j.version>1.2.17</log4j.version>
<junit.version>4.12</junit.version>
<nimbus.jose.version>3.10</nimbus.jose.version>
[36/50] [abbrv] directory-kerby git commit: DIRKRB-584 - NPE if the
token issuers value is not specified
Posted by co...@apache.org.
DIRKRB-584 - NPE if the token issuers value is not specified
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/653f1762
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/653f1762
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/653f1762
Branch: refs/heads/gssapi
Commit: 653f1762ba271dfa9e6107dcb6825c7eb835540b
Parents: f904cda
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Wed Jun 15 17:05:57 2016 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 12:25:51 2017 +0100
----------------------------------------------------------------------
.../java/org/apache/kerby/kerberos/kerb/common/Krb5Conf.java | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/653f1762/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/Krb5Conf.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/Krb5Conf.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/Krb5Conf.java
index 1dba876..7c4ae74 100644
--- a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/Krb5Conf.java
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/Krb5Conf.java
@@ -160,8 +160,10 @@ public class Krb5Conf extends Conf {
protected String[] getStringArray(ConfigKey key, boolean useDefault,
String ... sections) {
String value = getString(key, useDefault, sections);
- String[] values = value.split(LIST_SPLITTER);
- return values;
+ if (value != null) {
+ return value.split(LIST_SPLITTER);
+ }
+ return new String[]{};
}
protected Object getSection(String sectionName) {
[44/50] [abbrv] directory-kerby git commit: DIRKRB-581 Imcompatible
token header in init context against JDK GssApi. Contributed by Wei.
Posted by co...@apache.org.
DIRKRB-581 Imcompatible token header in init context against JDK GssApi. Contributed by Wei.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/34edd99a
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/34edd99a
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/34edd99a
Branch: refs/heads/gssapi
Commit: 34edd99a5b79588d5ff418524dbad51c89e76196
Parents: 42dc865
Author: plusplusjiajia <ji...@intel.com>
Authored: Sun Jun 12 10:13:17 2016 +0800
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 12:25:51 2017 +0100
----------------------------------------------------------------------
.../kerberos/kerb/gssapi/krb5/KerbyContext.java | 31 ++++++++++++++++----
1 file changed, 26 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/34edd99a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
index 0bdd360..e8bcc77 100644
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
@@ -48,6 +48,7 @@ import javax.security.auth.kerberos.KerberosTicket;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
+import java.nio.ByteBuffer;
import java.security.Provider;
@SuppressWarnings("PMD")
@@ -58,6 +59,9 @@ public class KerbyContext implements GSSContextSpi {
private static final int STATE_ESTABLISHED = 2;
private static final int STATE_DESTROYED = 3;
+ private static final byte[] MSG_AP_REQ = {(byte) 0x1, (byte) 0};
+ private static final byte[] MSG_AP_REP = {(byte) 0x2, (byte) 0};
+
private int ctxState = STATE_NONE;
private final GSSCaller caller;
@@ -289,7 +293,11 @@ public class KerbyContext implements GSSContextSpi {
}
setupInitiatorContext(sgtTicket, apRequest);
try {
- ret = outApReq.encode();
+ ByteBuffer outBuffer = ByteBuffer.allocate(outApReq.encodingLength() + 2);
+ outBuffer.put(MSG_AP_REQ);
+ outApReq.encode(outBuffer);
+ outBuffer.flip();
+ ret = outBuffer.array();
} catch (IOException e) {
throw new GSSException(GSSException.FAILURE, -1, "Generate ApReq bytes failed: " + e.getMessage());
}
@@ -346,9 +354,13 @@ public class KerbyContext implements GSSContextSpi {
*/
private void verifyServerToken(InputStream is, int mechTokenSize)
throws GSSException {
- byte[] token = new byte[mechTokenSize];
+ byte[] token;
ApRep apRep;
try {
+ if (!(is.read() == MSG_AP_REP[0] && is.read() == MSG_AP_REP[1])) {
+ throw new GSSException(GSSException.FAILURE, -1, "Invalid ApRep message ID");
+ }
+ token = new byte[mechTokenSize - MSG_AP_REP.length];
is.read(token);
apRep = new ApRep();
apRep.decode(token);
@@ -404,14 +416,19 @@ public class KerbyContext implements GSSContextSpi {
private byte[] verifyClientToken(KerbyAcceptCred acceptCred, InputStream is, int mechTokenSize)
throws GSSException {
- byte[] token = new byte[mechTokenSize];
+ byte[] token;
ApReq apReq;
try {
+ if (!(is.read() == MSG_AP_REQ[0] && is.read() == MSG_AP_REQ[1])) {
+ throw new GSSException(GSSException.FAILURE, -1, "Invalid ApReq message ID");
+ }
+
+ token = new byte[mechTokenSize - MSG_AP_REQ.length];
is.read(token);
apReq = new ApReq();
apReq.decode(token);
} catch (IOException e) {
- throw new GSSException(GSSException.UNAUTHORIZED, -1, "ApReq invalid" + e.getMessage());
+ throw new GSSException(GSSException.UNAUTHORIZED, -1, "ApReq invalid:" + e.getMessage());
}
int kvno = apReq.getTicket().getEncryptedEncPart().getKvno();
@@ -460,7 +477,11 @@ public class KerbyContext implements GSSContextSpi {
byte[] ret = null;
try {
- ret = apRep.encode();
+ ByteBuffer outBuffer = ByteBuffer.allocate(apRep.encodingLength() + 2);
+ outBuffer.put(MSG_AP_REP);
+ apRep.encode(outBuffer);
+ outBuffer.flip();
+ ret = outBuffer.array();
} catch (IOException e) {
throw new GSSException(GSSException.FAILURE, -1, "Generate ApRep bytes failed:" + e.getMessage());
}
[50/50] [abbrv] directory-kerby git commit: Merge branch 'gssapi' of
https://git-wip-us.apache.org/repos/asf/directory-kerby into gssapi
Posted by co...@apache.org.
Merge branch 'gssapi' of https://git-wip-us.apache.org/repos/asf/directory-kerby into gssapi
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/53aade43
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/53aade43
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/53aade43
Branch: refs/heads/gssapi
Commit: 53aade43417b65958ae0393e3257803a49647a97
Parents: 8432c1a f3876f9
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Jul 21 12:26:11 2017 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 12:26:11 2017 +0100
----------------------------------------------------------------------
kerby-kerb/integration-test/pom.xml | 11 +++++++++++
1 file changed, 11 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/53aade43/kerby-kerb/integration-test/pom.xml
----------------------------------------------------------------------
diff --cc kerby-kerb/integration-test/pom.xml
index b091d30,c41d6a0..6453b42
--- a/kerby-kerb/integration-test/pom.xml
+++ b/kerby-kerb/integration-test/pom.xml
@@@ -50,15 -50,15 +50,26 @@@
<version>${project.version}</version>
</dependency>
<dependency>
++<<<<<<< HEAD
++=======
+ <groupId>org.apache.kerby</groupId>
+ <artifactId>kerb-gssapi</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
++>>>>>>> f3876f97dfcba7cfe8b5eb793bfbec36669f93fc
<groupId>org.slf4j</groupId>
<artifactId>slf4j-simple</artifactId>
<version>${slf4j.version}</version>
<scope>test</scope>
</dependency>
++<<<<<<< HEAD
+ <dependency>
+ <groupId>org.apache.kerby</groupId>
+ <artifactId>kerb-gssapi</artifactId>
+ <version>${project.version}</version>
+ </dependency>
++=======
++>>>>>>> f3876f97dfcba7cfe8b5eb793bfbec36669f93fc
</dependencies>
</project>
[29/50] [abbrv] directory-kerby git commit: Refactoring the package
and structure
Posted by co...@apache.org.
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8432c1a8/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
deleted file mode 100644
index e8bcc77..0000000
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
+++ /dev/null
@@ -1,744 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.kerberos.kerb.gssapi.krb5;
-
-import com.sun.security.jgss.InquireType;
-import org.apache.kerby.kerberos.kerb.KrbException;
-import org.apache.kerby.kerberos.kerb.gssapi.KerbyMechFactory;
-import org.apache.kerby.kerberos.kerb.request.ApRequest;
-import org.apache.kerby.kerberos.kerb.response.ApResponse;
-import org.apache.kerby.kerberos.kerb.type.ad.AuthorizationData;
-import org.apache.kerby.kerberos.kerb.type.ap.ApRep;
-import org.apache.kerby.kerberos.kerb.type.ap.ApReq;
-import org.apache.kerby.kerberos.kerb.type.ap.Authenticator;
-import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
-import org.apache.kerby.kerberos.kerb.type.base.PrincipalName;
-import org.apache.kerby.kerberos.kerb.type.kdc.EncKdcRepPart;
-import org.apache.kerby.kerberos.kerb.type.ticket.EncTicketPart;
-import org.apache.kerby.kerberos.kerb.type.ticket.SgtTicket;
-import org.apache.kerby.kerberos.kerb.type.ticket.TicketFlags;
-import org.ietf.jgss.ChannelBinding;
-import org.ietf.jgss.GSSContext;
-import org.ietf.jgss.GSSException;
-import org.ietf.jgss.MessageProp;
-import org.ietf.jgss.Oid;
-import sun.security.jgss.GSSCaller;
-import sun.security.jgss.spi.GSSContextSpi;
-import sun.security.jgss.spi.GSSCredentialSpi;
-import sun.security.jgss.spi.GSSNameSpi;
-
-import javax.security.auth.kerberos.KerberosTicket;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
-import java.nio.ByteBuffer;
-import java.security.Provider;
-
-@SuppressWarnings("PMD")
-public class KerbyContext implements GSSContextSpi {
-
- private static final int STATE_NONE = 0;
- private static final int STATE_ESTABLISHING = 1;
- private static final int STATE_ESTABLISHED = 2;
- private static final int STATE_DESTROYED = 3;
-
- private static final byte[] MSG_AP_REQ = {(byte) 0x1, (byte) 0};
- private static final byte[] MSG_AP_REP = {(byte) 0x2, (byte) 0};
-
- private int ctxState = STATE_NONE;
-
- private final GSSCaller caller;
- private KerbyCredElement myCred;
- private boolean initiator;
- private KerbyNameElement myName;
- private KerbyNameElement peerName;
- private int lifeTime;
- private ChannelBinding channelBinding;
-
- private boolean mutualAuth = true;
- private boolean replayDet = true;
- private boolean sequenceDet = true;
- private boolean credDeleg = false;
- private boolean confState = true;
- private boolean integState = true;
- private boolean delegPolicy = false;
-
- public static final int INVALID_KEY = 0;
- public static final int SESSION_KEY = 1;
- public static final int INITIATOR_SUBKEY = 2;
- public static final int ACCEPTOR_SUBKEY = 4;
- private int keyComesFrom = INVALID_KEY;
-
- private EncryptionKey sessionKey; // used between client and app server
- private TicketFlags ticketFlags;
- private ApReq outApReq;
-
- private KerbyGssEncryptor gssEncryptor;
-
- // Called on initiator's side.
- public KerbyContext(GSSCaller caller, KerbyNameElement peerName, KerbyCredElement myCred,
- int lifeTime)
- throws GSSException {
- if (peerName == null) {
- throw new IllegalArgumentException("Cannot have null peer name");
- }
-
- this.caller = caller;
- this.peerName = peerName;
- this.myCred = myCred;
- this.lifeTime = lifeTime;
- this.initiator = true;
-
- mySequenceNumberLock = new Object();
- peerSequenceNumberLock = new Object();
- }
-
- public KerbyContext(GSSCaller caller, KerbyAcceptCred myCred)
- throws GSSException {
- this.caller = caller;
- this.myCred = myCred;
- this.initiator = false;
-
- mySequenceNumberLock = new Object();
- peerSequenceNumberLock = new Object();
- }
-
- public KerbyContext(GSSCaller caller, byte[] interProcessToken)
- throws GSSException {
- throw new GSSException(GSSException.UNAVAILABLE, -1, "Unsupported feature");
- }
-
- public Provider getProvider() {
- return new org.apache.kerby.kerberos.kerb.gssapi.Provider();
- }
-
- public void requestLifetime(int lifeTime) throws GSSException {
- if (ctxState == STATE_NONE && isInitiator()) {
- this.lifeTime = lifeTime;
- }
- }
-
- public void requestMutualAuth(boolean state) throws GSSException {
- if (ctxState == STATE_NONE && isInitiator()) {
- mutualAuth = state;
- }
- }
-
- public void requestReplayDet(boolean state) throws GSSException {
- if (ctxState == STATE_NONE && isInitiator()) {
- replayDet = state;
- }
- }
-
- public void requestSequenceDet(boolean state) throws GSSException {
- if (ctxState == STATE_NONE && isInitiator()) {
- replayDet = state;
- }
- }
-
- public void requestCredDeleg(boolean state) throws GSSException {
- if (ctxState == STATE_NONE && isInitiator() && myCred == null) {
- credDeleg = state;
- }
- }
-
- public void requestAnonymity(boolean state) throws GSSException {
- // anonymous context not supported
- }
-
- public void requestConf(boolean state) throws GSSException {
- if (ctxState == STATE_NONE && isInitiator()) {
- confState = state;
- }
- }
-
- public void requestInteg(boolean state) throws GSSException {
- if (ctxState == STATE_NONE && isInitiator()) {
- integState = state;
- }
- }
-
- public void requestDelegPolicy(boolean state) throws GSSException {
- if (ctxState == STATE_NONE && isInitiator()) {
- delegPolicy = state;
- }
- }
-
- public void setChannelBinding(ChannelBinding cb) throws GSSException {
- this.channelBinding = cb;
- }
-
- public boolean getCredDelegState() {
- return credDeleg;
- }
-
- public boolean getMutualAuthState() {
- return mutualAuth;
- }
-
- public boolean getReplayDetState() {
- return replayDet || sequenceDet;
- }
-
- public boolean getSequenceDetState() {
- return sequenceDet;
- }
-
- public boolean getAnonymityState() {
- return false;
- }
-
- public boolean getDelegPolicyState() {
- return delegPolicy;
- }
-
- public boolean isTransferable() throws GSSException {
- return false;
- }
-
- public boolean isProtReady() {
- return ctxState == STATE_ESTABLISHED;
- }
-
- public boolean isInitiator() {
- return initiator;
- }
-
- public boolean getConfState() {
- return confState;
- }
-
- public boolean getIntegState() {
- return integState;
- }
-
- public int getLifetime() {
- return GSSContext.INDEFINITE_LIFETIME;
- }
-
- public boolean isEstablished() {
- return ctxState == STATE_ESTABLISHED;
- }
-
- public GSSNameSpi getSrcName() throws GSSException {
- return isInitiator() ? myName : peerName;
- }
-
- public GSSNameSpi getTargName() throws GSSException {
- return !isInitiator() ? myName : peerName;
- }
-
- public Oid getMech() throws GSSException {
- return KerbyMechFactory.getOid();
- }
-
- public GSSCredentialSpi getDelegCred() throws GSSException {
- throw new GSSException(GSSException.FAILURE, -1, "API not implemented"); // TODO:
- }
-
- public byte[] initSecContext(InputStream is, int mechTokenSize)
- throws GSSException {
- if (!isInitiator()) {
- throw new GSSException(GSSException.FAILURE, -1, "initSecContext called on acceptor");
- }
-
- byte[] ret = null;
-
- if (ctxState == STATE_NONE) {
-
- if (!myCred.isInitiatorCredential()) {
- throw new GSSException(GSSException.NO_CRED, -1, "No TGT available");
- }
-
- // check if service ticket already exists
- // if not, prepare to get it through TGS_REQ
- SgtTicket sgtTicket = null;
- String serviceName = peerName.getPrincipalName().getName();
- myName = (KerbyNameElement) myCred.getName();
- PrincipalName clientPrincipal = myName.getPrincipalName();
-
- sgtTicket = KerbyUtil.getSgtCredentialFromContext(caller, clientPrincipal.getName(), serviceName);
-
- if (sgtTicket == null) {
- sgtTicket = KerbyUtil.applySgtCredential(((KerbyInitCred) myCred).ticket, serviceName);
-
- // add this service credential to context
- final KerberosTicket ticket =
- KerbyUtil.convertKrbTicketToKerberosTicket(sgtTicket, myName.getPrincipalName().getName());
- CredUtils.addCredentialToSubject(ticket);
- }
-
- ApRequest apRequest = new ApRequest(clientPrincipal, sgtTicket);
- try {
- outApReq = apRequest.getApReq();
- } catch (KrbException e) {
- throw new GSSException(GSSException.FAILURE, -1, "Generate ApReq failed: " + e.getMessage());
- }
- setupInitiatorContext(sgtTicket, apRequest);
- try {
- ByteBuffer outBuffer = ByteBuffer.allocate(outApReq.encodingLength() + 2);
- outBuffer.put(MSG_AP_REQ);
- outApReq.encode(outBuffer);
- outBuffer.flip();
- ret = outBuffer.array();
- } catch (IOException e) {
- throw new GSSException(GSSException.FAILURE, -1, "Generate ApReq bytes failed: " + e.getMessage());
- }
-
- ctxState = STATE_ESTABLISHING;
- if (!getMutualAuthState()) {
- gssEncryptor = new KerbyGssEncryptor(getSessionKey());
- ctxState = STATE_ESTABLISHED;
- }
-
- } else if (ctxState == STATE_ESTABLISHING) {
- verifyServerToken(is, mechTokenSize);
- gssEncryptor = new KerbyGssEncryptor(getSessionKey());
- outApReq = null;
- ctxState = STATE_ESTABLISHED;
- }
- return ret;
- }
-
- private void setupInitiatorContext(SgtTicket sgt, ApRequest apRequest) throws GSSException {
- EncKdcRepPart encKdcRepPart = sgt.getEncKdcRepPart();
- TicketFlags ticketFlags = encKdcRepPart.getFlags();
- setTicketFlags(ticketFlags);
-
- setAuthTime(encKdcRepPart.getAuthTime().toString());
-
- Authenticator auth;
- try {
- auth = apRequest.getApReq().getAuthenticator();
- } catch (KrbException e) {
- throw new GSSException(GSSException.FAILURE, -1, "ApReq failed in Initiator");
- }
- setMySequenceNumber(auth.getSeqNumber());
-
- EncryptionKey subKey = auth.getSubKey();
- if (subKey != null) {
- setSessionKey(subKey, KerbyContext.INITIATOR_SUBKEY);
- } else {
- setSessionKey(sgt.getSessionKey(), KerbyContext.SESSION_KEY);
- }
-
- if (!getMutualAuthState()) {
- setPeerSequenceNumber(0);
- }
- }
-
- /**
- * Verify the AP_REP from server and set context accordingly
- * @param is
- * @param mechTokenSize
- * @return
- * @throws GSSException
- * @throws IOException
- */
- private void verifyServerToken(InputStream is, int mechTokenSize)
- throws GSSException {
- byte[] token;
- ApRep apRep;
- try {
- if (!(is.read() == MSG_AP_REP[0] && is.read() == MSG_AP_REP[1])) {
- throw new GSSException(GSSException.FAILURE, -1, "Invalid ApRep message ID");
- }
- token = new byte[mechTokenSize - MSG_AP_REP.length];
- is.read(token);
- apRep = new ApRep();
- apRep.decode(token);
- } catch (IOException e) {
- throw new GSSException(GSSException.FAILURE, -1, "Invalid ApRep " + e.getMessage());
- }
-
- try {
- ApResponse.validate(getSessionKey(), apRep, outApReq);
- } catch (KrbException e) {
- throw new GSSException(GSSException.UNAUTHORIZED, -1, "ApRep verification failed");
- }
-
- EncryptionKey key = apRep.getEncRepPart().getSubkey();
- if (key != null) {
- setSessionKey(key, ACCEPTOR_SUBKEY);
- }
-
- int seqNum = apRep.getEncRepPart().getSeqNumber();
- setPeerSequenceNumber(seqNum == -1 ? 0 : seqNum);
- }
-
- public byte[] acceptSecContext(InputStream is, int mechTokenSize)
- throws GSSException {
- byte[] ret = null;
-
- if (isInitiator()) {
- throw new GSSException(GSSException.FAILURE, -1, "acceptSecContext called on initiator");
- }
-
- if (ctxState == STATE_NONE) {
- ctxState = STATE_ESTABLISHING;
- if (!myCred.isAcceptorCredential()) {
- throw new GSSException(GSSException.FAILURE, -1, "No acceptor credential available");
- }
-
- KerbyAcceptCred acceptCred = (KerbyAcceptCred) myCred;
- CredUtils.checkPrincipalPermission(
- ((KerbyNameElement) acceptCred.getName()).getPrincipalName().getName(), "accept");
-
- if (getMutualAuthState()) {
- ret = verifyClientToken(acceptCred, is, mechTokenSize);
- }
-
- gssEncryptor = new KerbyGssEncryptor(getSessionKey());
-
- myCred = null;
- ctxState = STATE_ESTABLISHED;
- }
-
- return ret;
- }
-
- private byte[] verifyClientToken(KerbyAcceptCred acceptCred, InputStream is, int mechTokenSize)
- throws GSSException {
- byte[] token;
- ApReq apReq;
- try {
- if (!(is.read() == MSG_AP_REQ[0] && is.read() == MSG_AP_REQ[1])) {
- throw new GSSException(GSSException.FAILURE, -1, "Invalid ApReq message ID");
- }
-
- token = new byte[mechTokenSize - MSG_AP_REQ.length];
- is.read(token);
- apReq = new ApReq();
- apReq.decode(token);
- } catch (IOException e) {
- throw new GSSException(GSSException.UNAUTHORIZED, -1, "ApReq invalid:" + e.getMessage());
- }
-
- int kvno = apReq.getTicket().getEncryptedEncPart().getKvno();
- int encryptType = apReq.getTicket().getEncryptedEncPart().getEType().getValue();
-
- // Get server key from credential
- EncryptionKey serverKey = KerbyUtil.getEncryptionKey(acceptCred.getKeys(), encryptType, kvno);
- if (serverKey == null) {
- throw new GSSException(GSSException.FAILURE, -1, "Server key not found");
- }
-
- try {
- ApRequest.validate(serverKey, apReq,
- channelBinding == null ? null : channelBinding.getInitiatorAddress(), 5 * 60 * 1000);
- } catch (KrbException e) {
- throw new GSSException(GSSException.UNAUTHORIZED, -1, "ApReq verification failed: " + e.getMessage());
- }
-
- ApResponse apResponse = new ApResponse(apReq);
- ApRep apRep;
- try {
- apRep = apResponse.getApRep();
- } catch (KrbException e) {
- throw new GSSException(GSSException.UNAUTHORIZED, -1, "Generate ApRep failed");
- }
-
- EncTicketPart apReqTicketEncPart = apReq.getTicket().getEncPart();
-
- EncryptionKey ssKey = apReqTicketEncPart.getKey();
- Authenticator auth = apReq.getAuthenticator();
- EncryptionKey subKey = auth.getSubKey();
-
- if (subKey != null) {
- setSessionKey(subKey, INITIATOR_SUBKEY);
- } else {
- setSessionKey(ssKey, SESSION_KEY);
- }
-
- // initial seqNumber
- int seqNumber = auth.getSeqNumber();
- setMySequenceNumber(seqNumber);
- // initial authtime, tktflags, authdata,
- setAuthTime(apReqTicketEncPart.getAuthTime().toString());
- setTicketFlags(apReqTicketEncPart.getFlags());
- setAuthData(apReqTicketEncPart.getAuthorizationData());
-
- byte[] ret = null;
- try {
- ByteBuffer outBuffer = ByteBuffer.allocate(apRep.encodingLength() + 2);
- outBuffer.put(MSG_AP_REP);
- apRep.encode(outBuffer);
- outBuffer.flip();
- ret = outBuffer.array();
- } catch (IOException e) {
- throw new GSSException(GSSException.FAILURE, -1, "Generate ApRep bytes failed:" + e.getMessage());
- }
- return ret;
- }
-
- public int getWrapSizeLimit(int qop, boolean confReq, int maxTokSize)
- throws GSSException {
- if (gssEncryptor.isV2()) {
- return WrapTokenV2.getMsgSizeLimit(qop, confReq, maxTokSize, gssEncryptor);
- } else {
- return WrapTokenV1.getMsgSizeLimit(qop, confReq, maxTokSize, gssEncryptor);
- }
- }
-
- public void wrap(InputStream is, OutputStream os, MessageProp msgProp)
- throws GSSException {
- if (ctxState != STATE_ESTABLISHED) {
- throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for wrap");
- }
-
- int len;
- byte[] inBuf;
- try {
- len = is.available();
- inBuf = new byte[len];
- is.read(inBuf);
- } catch (IOException e) {
- throw new GSSException(GSSException.FAILURE, -1, "Error when get user data:" + e.getMessage());
- }
- if (gssEncryptor.isV2()) {
- WrapTokenV2 token = new WrapTokenV2(this, inBuf, 0, len, msgProp);
- token.wrap(os);
- } else {
- WrapTokenV1 token = new WrapTokenV1(this, inBuf, 0, len, msgProp);
- token.wrap(os);
- }
- }
-
- public byte[] wrap(byte[] inBuf, int offset, int len,
- MessageProp msgProp) throws GSSException {
- if (ctxState != STATE_ESTABLISHED) {
- throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for wrap");
- }
- byte[] ret;
- if (gssEncryptor.isV2()) {
- WrapTokenV2 token = new WrapTokenV2(this, inBuf, offset, len, msgProp);
- ret = token.wrap();
- } else {
- WrapTokenV1 token = new WrapTokenV1(this, inBuf, offset, len, msgProp);
- ret = token.wrap();
- }
- return ret;
- }
-
- public void unwrap(InputStream is, OutputStream os,
- MessageProp msgProp) throws GSSException {
- if (ctxState != STATE_ESTABLISHED) {
- throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for unwrap");
- }
-
- if (gssEncryptor.isV2()) {
- WrapTokenV2 token = new WrapTokenV2(this, msgProp, is);
- token.unwrap(os);
- } else {
- WrapTokenV1 token = new WrapTokenV1(this, msgProp, is);
- token.unwrap(os);
- }
- }
-
- public byte[] unwrap(byte[] inBuf, int offset, int len,
- MessageProp msgProp) throws GSSException {
- if (ctxState != STATE_ESTABLISHED) {
- throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for unwrap");
- }
-
- byte[] ret;
- if (gssEncryptor.isV2()) {
- WrapTokenV2 token = new WrapTokenV2(this, msgProp, inBuf, offset, len);
- ret = token.unwrap();
- } else {
- WrapTokenV1 token = new WrapTokenV1(this, msgProp, inBuf, offset, len);
- ret = token.unwrap();
- }
- return ret;
- }
-
- public void getMIC(InputStream is, OutputStream os,
- MessageProp msgProp) throws GSSException {
- if (ctxState != STATE_ESTABLISHED) {
- throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for getMIC");
- }
-
- try {
- int len = is.available();
- byte[] inMsg = new byte[len];
- is.read(inMsg);
- if (gssEncryptor.isV2()) {
- MicTokenV2 token = new MicTokenV2(this, inMsg, 0, len, msgProp);
- token.getMic(os);
- } else {
- MicTokenV1 token = new MicTokenV1(this, inMsg, 0, len, msgProp);
- token.getMic(os);
- }
- } catch (IOException e) {
- throw new GSSException(GSSException.FAILURE, -1, "Error when get user data in getMIC:" + e.getMessage());
- }
- }
-
- public byte[] getMIC(byte[] inMsg, int offset, int len,
- MessageProp msgProp) throws GSSException {
- if (ctxState != STATE_ESTABLISHED) {
- throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for getMIC");
- }
-
- byte[] ret;
- if (gssEncryptor.isV2()) {
- MicTokenV2 token = new MicTokenV2(this, inMsg, offset, len, msgProp);
- ret = token.getMic();
- } else {
- MicTokenV1 token = new MicTokenV1(this, inMsg, offset, len, msgProp);
- ret = token.getMic();
- }
- return ret;
- }
-
- public void verifyMIC(InputStream is, InputStream msgStr,
- MessageProp msgProp) throws GSSException {
- if (ctxState != STATE_ESTABLISHED) {
- throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for verifyMIC");
- }
-
- try {
- int tokLen = is.available();
- byte[] inTok = new byte[tokLen];
- int msgLen = msgStr.available();
- byte[] inMsg = new byte[msgLen];
-
- verifyMIC(inTok, 0, tokLen, inMsg, 0, msgLen, msgProp);
- } catch (IOException e) {
- throw new GSSException(GSSException.FAILURE, -1,
- "Error when get user data in verifyMIC:" + e.getMessage());
- }
- }
-
- public void verifyMIC(byte[]inTok, int tokOffset, int tokLen,
- byte[] inMsg, int msgOffset, int msgLen,
- MessageProp msgProp) throws GSSException {
- if (ctxState != STATE_ESTABLISHED) {
- throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for verifyMIC");
- }
-
- if (gssEncryptor.isV2()) {
- MicTokenV2 token = new MicTokenV2(this, msgProp, inTok, tokOffset, tokLen);
- token.verify(inMsg, msgOffset, msgLen);
- } else {
- MicTokenV1 token = new MicTokenV1(this, msgProp, inTok, tokOffset, tokLen);
- token.verify(inMsg, msgOffset, msgLen);
- }
- }
-
- public byte[] export() throws GSSException {
- throw new GSSException(GSSException.UNAVAILABLE, -1, "Unsupported export() method");
- }
-
- public void dispose() throws GSSException {
- ctxState = STATE_DESTROYED;
- setSessionKey(null, 0);
- peerName = null;
- myCred = null;
- myName = null;
- }
-
-
- private String authTime;
- private void setAuthTime(String authTime) {
- this.authTime = authTime;
- }
-
- public Object inquireSecContext(InquireType type) throws GSSException {
- if (ctxState != STATE_ESTABLISHED) {
- throw new GSSException(GSSException.NO_CONTEXT, -1, "Invalid context");
- }
-
- switch (type) {
- case KRB5_GET_SESSION_KEY:
- return getSessionKey();
- case KRB5_GET_TKT_FLAGS:
- return KerbyUtil.ticketFlagsToBooleans(ticketFlags);
- case KRB5_GET_AUTHZ_DATA:
- if (isInitiator()) {
- throw new GSSException(GSSException.UNAVAILABLE, -1,
- "Authorization data not available for initiator");
- } else {
- return KerbyUtil.kerbyAuthorizationDataToJgssAuthorizationDataEntries(authData);
- }
- case KRB5_GET_AUTHTIME:
- return authTime;
- }
- throw new GSSException(GSSException.UNAVAILABLE, -1, "Unsupported inquire type");
- }
-
-
- // functions not belong to SPI
- private void setSessionKey(EncryptionKey encryptionKey, int keyComesFrom) {
- this.sessionKey = encryptionKey;
- this.keyComesFrom = keyComesFrom;
- }
-
- public int getKeyComesFrom() {
- return keyComesFrom;
- }
-
- private EncryptionKey getSessionKey() {
- return sessionKey;
- }
-
- private void setTicketFlags(TicketFlags ticketFlags) {
- this.ticketFlags = ticketFlags;
- }
-
- private AuthorizationData authData;
- private void setAuthData(AuthorizationData authData) {
- this.authData = authData;
- }
-
-
- private int mySequenceNumber;
- private int peerSequenceNumber;
- private Object mySequenceNumberLock;
- private Object peerSequenceNumberLock;
-
- public void setMySequenceNumber(int sequenceNumber) {
- synchronized (mySequenceNumberLock) {
- mySequenceNumber = sequenceNumber;
- }
- }
-
- public int incMySequenceNumber() {
- synchronized (mySequenceNumberLock) {
- return mySequenceNumber++;
- }
- }
-
- public void setPeerSequenceNumber(int sequenceNumber) {
- synchronized (peerSequenceNumberLock) {
- peerSequenceNumber = sequenceNumber;
- }
- }
-
- public int incPeerSequenceNumber() {
- synchronized (peerSequenceNumberLock) {
- return peerSequenceNumber++;
- }
- }
-
- public KerbyGssEncryptor getGssEncryptor() {
- return gssEncryptor;
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8432c1a8/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyCredElement.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyCredElement.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyCredElement.java
deleted file mode 100644
index c52b3ea..0000000
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyCredElement.java
+++ /dev/null
@@ -1,80 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.kerberos.kerb.gssapi.krb5;
-
-import org.ietf.jgss.GSSException;
-import org.ietf.jgss.Oid;
-import sun.security.jgss.GSSCaller;
-import sun.security.jgss.spi.GSSCredentialSpi;
-import sun.security.jgss.spi.GSSNameSpi;
-
-import java.security.Provider;
-
-public abstract class KerbyCredElement implements GSSCredentialSpi {
-
- static final Oid KRB5_OID = createOid("1.2.840.113554.1.2.2");
-
- protected GSSCaller caller;
- protected KerbyNameElement name;
- protected int initLifeTime;
- protected int accLifeTime;
-
- KerbyCredElement(GSSCaller caller, KerbyNameElement name) {
- this.caller = caller;
- this.name = name;
- }
-
- public Provider getProvider() {
- return new org.apache.kerby.kerberos.kerb.gssapi.Provider();
- }
-
- public void dispose() throws GSSException {
- }
-
- public GSSNameSpi getName() throws GSSException {
- return name;
- }
-
- public int getInitLifetime() throws GSSException {
- return initLifeTime;
- }
-
- public int getAcceptLifetime() throws GSSException {
- return accLifeTime;
- }
-
- public Oid getMechanism() {
- return KRB5_OID;
- }
-
- public GSSCredentialSpi impersonate(GSSNameSpi name) throws GSSException {
- throw new GSSException(GSSException.FAILURE, -1, "Unsupported feature"); // TODO:
- }
-
- private static Oid createOid(String oidStr) {
- Oid retVal;
- try {
- retVal = new Oid(oidStr);
- } catch (GSSException e) {
- retVal = null; // get rid of blank catch block warning
- }
- return retVal;
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8432c1a8/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssEncryptor.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssEncryptor.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssEncryptor.java
deleted file mode 100644
index 9aff63e..0000000
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssEncryptor.java
+++ /dev/null
@@ -1,388 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.kerberos.kerb.gssapi.krb5;
-
-
-import org.apache.kerby.kerberos.kerb.KrbException;
-import org.apache.kerby.kerberos.kerb.crypto.CheckSumHandler;
-import org.apache.kerby.kerberos.kerb.crypto.CheckSumTypeHandler;
-import org.apache.kerby.kerberos.kerb.crypto.EncTypeHandler;
-import org.apache.kerby.kerberos.kerb.crypto.EncryptionHandler;
-import org.apache.kerby.kerberos.kerb.crypto.cksum.provider.Md5Provider;
-import org.apache.kerby.kerberos.kerb.crypto.enc.provider.DesProvider;
-import org.apache.kerby.kerberos.kerb.crypto.enc.provider.Rc4Provider;
-import org.apache.kerby.kerberos.kerb.type.base.CheckSumType;
-import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
-import org.apache.kerby.kerberos.kerb.type.base.EncryptionType;
-import org.ietf.jgss.GSSException;
-
-import javax.crypto.Mac;
-import javax.crypto.SecretKey;
-import javax.crypto.spec.SecretKeySpec;
-
-/**
- * This class implements encryption related function used in GSS tokens
- */
-public class KerbyGssEncryptor {
-
- private final EncryptionKey encKey;
- private final EncryptionType encKeyType; // The following two variables used for convenience
- private final byte[] encKeyBytes;
-
- private CheckSumType checkSumTypeDef;
- private int checkSumSize;
-
- private boolean isV2 = false;
- private int sgnAlg = 0xFFFF;
- private int sealAlg = 0xFFFF;
- private boolean isArcFourHmac = false;
-
- private static final byte[] IV_ZEROR_8B = new byte[8];
-
- public KerbyGssEncryptor(EncryptionKey key) throws GSSException {
- encKey = key;
- encKeyBytes = encKey.getKeyData();
- encKeyType = key.getKeyType();
-
- if (encKeyType == EncryptionType.AES128_CTS_HMAC_SHA1_96) {
- checkSumSize = 12;
- checkSumTypeDef = CheckSumType.HMAC_SHA1_96_AES128;
- isV2 = true;
- } else if (encKeyType == EncryptionType.AES256_CTS_HMAC_SHA1_96) {
- checkSumSize = 12;
- checkSumTypeDef = CheckSumType.HMAC_SHA1_96_AES256;
- isV2 = true;
- } else if (encKeyType == EncryptionType.DES_CBC_CRC || encKeyType == EncryptionType.DES_CBC_MD5) {
- sgnAlg = KerbyGssTokenV1.SGN_ALG_DES_MAC_MD5;
- sealAlg = KerbyGssTokenV1.SEAL_ALG_DES;
- checkSumSize = 8;
- } else if (encKeyType == EncryptionType.DES3_CBC_SHA1) {
- sgnAlg = KerbyGssTokenV1.SGN_ALG_HMAC_SHA1_DES3_KD;
- sealAlg = KerbyGssTokenV1.SEAL_ALG_DES3_KD;
- checkSumSize = 20;
- } else if (encKeyType == EncryptionType.ARCFOUR_HMAC) {
- sgnAlg = KerbyGssTokenV1.SGN_ALG_RC4_HMAC;
- sealAlg = KerbyGssTokenV1.SEAL_ALG_RC4_HMAC;
- checkSumSize = 16;
- isArcFourHmac = true;
- } else {
- throw new GSSException(GSSException.FAILURE, -1,
- "Invalid encryption type: " + encKeyType.getDisplayName());
- }
- }
-
- /**
- * Return true if it is encryption type defined in RFC 4121
- * @return
- */
- public boolean isV2() {
- return isV2;
- }
-
- public int getSgnAlg() {
- return sgnAlg;
- }
-
- public int getSealAlg() {
- return sealAlg;
- }
-
- public boolean isArcFourHmac() {
- return isArcFourHmac;
- }
-
- public byte[] encryptData(byte[] tokenHeader, byte[] data,
- int offset, int len, int keyUsage) throws GSSException {
- byte[] ret;
- byte[] toProcess = new byte[tokenHeader.length + len];
- System.arraycopy(data, offset, toProcess, 0, len);
- System.arraycopy(tokenHeader, 0, toProcess, len, tokenHeader.length);
-
- ret = encryptData(toProcess, keyUsage);
- return ret;
- }
-
- public byte[] encryptData(byte[] toProcess, int keyUsage) throws GSSException {
- byte[] ret;
- try {
- EncTypeHandler encHandler = EncryptionHandler.getEncHandler(encKey.getKeyType());
- ret = encHandler.encrypt(toProcess, encKey.getKeyData(), keyUsage);
- } catch (KrbException e) {
- throw new GSSException(GSSException.FAILURE, -1, e.getMessage());
- }
- return ret;
- }
-
- public byte[] decryptData(byte[] dataEncrypted, int keyUsage) throws GSSException {
- byte[] ret;
- try {
- EncTypeHandler encHandler = EncryptionHandler.getEncHandler(encKey.getKeyType());
- ret = encHandler.decrypt(dataEncrypted, encKey.getKeyData(), keyUsage);
- } catch (KrbException e) {
- throw new GSSException(GSSException.FAILURE, -1, e.getMessage());
- }
- return ret;
- }
-
- public byte[] calculateCheckSum(byte[] header, byte[] data, int offset, int len, int keyUsage)
- throws GSSException {
- int totalLen = len + (header == null ? 0 : header.length);
- byte[] buffer = new byte[totalLen];
- System.arraycopy(data, offset, buffer, 0, len);
- if (header != null) {
- System.arraycopy(header, 0, buffer, len, header.length);
- }
-
- try {
- return CheckSumHandler.getCheckSumHandler(checkSumTypeDef)
- .checksumWithKey(buffer, encKey.getKeyData(), keyUsage);
- } catch (KrbException e) {
- throw new GSSException(GSSException.FAILURE, -1,
- "Exception in checksum calculation:" + e.getMessage());
- }
- }
-
- /**
- * Get the size of the corresponding checksum algorithm
- * @return
- * @throws GSSException
- */
- public int getCheckSumSize() throws GSSException {
- return checkSumSize;
- }
-
-
- private void addPadding(int paddingLen, byte[] outBuf, int offset) {
- for (int i = 0; i < paddingLen; i++) {
- outBuf[offset + i] = (byte) paddingLen;
- }
- }
-
- private byte[] getFirstBytes(byte[] src, int len) {
- if (len < src.length) {
- byte[] ret = new byte[len];
- System.arraycopy(src, 0, ret, 0, len);
- return ret;
- }
- return src;
- }
-
- private byte[] getKeyBytesWithLength(int len) {
- return getFirstBytes(encKeyBytes, len);
- }
-
- public byte[] calculateCheckSum(byte[] confounder, byte[] header,
- byte[] data, int offset, int len, int paddingLen, boolean isMic)
- throws GSSException {
- byte[] ret;
- int keyUsage = KerbyGssTokenV1.KG_USAGE_SIGN;
- CheckSumTypeHandler handler;
-
- int keySize;
- byte[] key;
- byte[] toProc;
- int toOffset;
- int toLen = (confounder == null ? 0 : confounder.length)
- + (header == null ? 0 : header.length) + len + paddingLen;
- if (toLen == len) {
- toProc = data;
- toOffset = offset;
- } else {
- toOffset = 0;
- int idx = 0;
- toProc = new byte[toLen];
-
- if (header != null) {
- System.arraycopy(header, 0, toProc, idx, header.length);
- idx += header.length;
- }
-
- if (confounder != null) {
- System.arraycopy(confounder, 0, toProc, idx, confounder.length);
- idx += confounder.length;
- }
-
- System.arraycopy(data, offset, toProc, idx, len);
- addPadding(paddingLen, toProc, len + idx);
- }
-
- CheckSumType chksumType;
- try {
- switch (sgnAlg) {
- case KerbyGssTokenV1.SGN_ALG_DES_MAC_MD5:
- Md5Provider md5Provider = new Md5Provider();
- md5Provider.hash(toProc);
- toProc = md5Provider.output();
-
- case KerbyGssTokenV1.SGN_ALG_DES_MAC:
- DesProvider desProvider = new DesProvider();
- return desProvider.cbcMac(encKeyBytes, IV_ZEROR_8B, toProc);
-
- case KerbyGssTokenV1.SGN_ALG_HMAC_SHA1_DES3_KD:
- chksumType = CheckSumType.HMAC_SHA1_DES3_KD;
- break;
- case KerbyGssTokenV1.SGN_ALG_RC4_HMAC:
- chksumType = CheckSumType.MD5_HMAC_ARCFOUR;
- if (isMic) {
- keyUsage = KerbyGssTokenV1.KG_USAGE_MS_SIGN;
- }
- break;
- case KerbyGssTokenV1.SGN_ALG_MD25:
- throw new GSSException(GSSException.FAILURE, -1, "CheckSum not implemented for SGN_ALG_MD25");
- default:
- throw new GSSException(GSSException.FAILURE, -1, "CheckSum not implemented for sgnAlg=" + sgnAlg);
- }
- handler = CheckSumHandler.getCheckSumHandler(chksumType);
- keySize = handler.keySize();
- key = getKeyBytesWithLength(keySize);
- ret = handler.checksumWithKey(toProc, toOffset, toLen, key, keyUsage);
- } catch (KrbException e) {
- throw new GSSException(GSSException.FAILURE, -1,
- "Exception in checksum calculation sgnAlg = " + sgnAlg + " : " + e.getMessage());
- }
- return ret;
- }
-
- public byte[] encryptSequenceNumber(byte[] seqBytes, byte[] ivSrc, boolean encrypt)
- throws GSSException {
- EncTypeHandler handler;
- try {
- switch (sgnAlg) {
- case KerbyGssTokenV1.SGN_ALG_DES_MAC_MD5:
- case KerbyGssTokenV1.SGN_ALG_DES_MAC:
- DesProvider desProvider = new DesProvider();
- byte[] data = seqBytes.clone();
- if (encrypt) {
- desProvider.encrypt(encKeyBytes, ivSrc, data);
- } else {
- desProvider.decrypt(encKeyBytes, ivSrc, data);
- }
- return data;
- case KerbyGssTokenV1.SGN_ALG_HMAC_SHA1_DES3_KD:
- handler = EncryptionHandler.getEncHandler(EncryptionType.DES3_CBC_SHA1_KD);
- break;
- case KerbyGssTokenV1.SGN_ALG_RC4_HMAC:
- return encryptArcFourHmac(seqBytes, getKeyBytesWithLength(16), getFirstBytes(ivSrc, 8), encrypt);
- case KerbyGssTokenV1.SGN_ALG_MD25:
- throw new GSSException(GSSException.FAILURE, -1, "EncSeq not implemented for SGN_ALG_MD25");
- default:
- throw new GSSException(GSSException.FAILURE, -1, "EncSeq not implemented for sgnAlg=" + sgnAlg);
- }
- int keySize = handler.keySize();
- byte[] key = getKeyBytesWithLength(keySize);
- int ivLen = handler.encProvider().blockSize();
- byte[] iv = getFirstBytes(ivSrc, ivLen);
- if (encrypt) {
- return handler.encryptRaw(seqBytes, key, iv, KerbyGssTokenV1.KG_USAGE_SEQ);
- } else {
- return handler.decryptRaw(seqBytes, key, iv, KerbyGssTokenV1.KG_USAGE_SEQ);
- }
- } catch (KrbException e) {
- throw new GSSException(GSSException.FAILURE, -1,
- "Exception in encrypt seq number sgnAlg = " + sgnAlg + " : " + e.getMessage());
- }
- }
-
- private byte[] getHmacMd5(byte[] key, byte[] salt) throws GSSException {
- try {
- SecretKey secretKey = new SecretKeySpec(key, "HmacMD5");
- Mac mac = Mac.getInstance("HmacMD5");
- mac.init(secretKey);
- return mac.doFinal(salt);
- } catch (Exception e) {
- throw new GSSException(GSSException.FAILURE, -1, "Get HmacMD5 failed: " + e.getMessage());
- }
- }
-
- private byte[] encryptArcFourHmac(byte[] data, byte[] key, byte[] iv, boolean encrypt)
- throws GSSException {
- byte[] sk1 = getHmacMd5(key, new byte[4]);
- byte[] sk2 = getHmacMd5(sk1, iv);
- Rc4Provider provider = new Rc4Provider();
- try {
- byte[] ret = data.clone();
- if (encrypt) {
- provider.encrypt(sk2, ret);
- } else {
- provider.decrypt(sk2, ret);
- }
- return ret;
- } catch (KrbException e) {
- throw new GSSException(GSSException.FAILURE, -1,
- "En/Decrypt sequence failed for ArcFourHmac: " + e.getMessage());
- }
- }
-
- private byte[] encryptDataArcFourHmac(byte[] data, byte[] key, byte[] seqNum, boolean encrypt) throws GSSException {
- byte[] dataKey = new byte[key.length];
- for (int i = 0; i <= 15; i++) {
- dataKey[i] = (byte) (key[i] ^ 0xF0);
- }
- return encryptArcFourHmac(data, dataKey, seqNum, encrypt);
- }
-
- public byte[] encryptTokenV1(byte[] confounder, byte[] data, int offset, int len,
- int paddingLen, byte[] seqNumber, boolean encrypt) throws GSSException {
- byte[] toProc;
- if (encrypt) {
- int toLen = (confounder == null ? 0 : confounder.length) + len + paddingLen;
- int index = 0;
- toProc = new byte[toLen];
- if (confounder != null) {
- System.arraycopy(confounder, 0, toProc, 0, confounder.length);
- index += confounder.length;
- }
- System.arraycopy(data, offset, toProc, index, len);
- addPadding(paddingLen, toProc, index + len);
- } else {
- toProc = data;
- if (data.length != len) {
- toProc = new byte[len];
- System.arraycopy(data, offset, toProc, 0, len);
- }
- }
- EncTypeHandler handler;
- try {
- switch (sealAlg) {
- case KerbyGssTokenV1.SEAL_ALG_DES:
- handler = EncryptionHandler.getEncHandler(EncryptionType.DES_CBC_MD5);
- break;
- case KerbyGssTokenV1.SEAL_ALG_DES3_KD:
- handler = EncryptionHandler.getEncHandler(EncryptionType.DES3_CBC_SHA1_KD);
- break;
- case KerbyGssTokenV1.SEAL_ALG_RC4_HMAC:
- return encryptDataArcFourHmac(toProc, getKeyBytesWithLength(16), seqNumber, encrypt);
- default:
- throw new GSSException(GSSException.FAILURE, -1, "Unknown encryption type sealAlg = " + sealAlg);
- }
-
- int keySize = handler.keySize();
- byte[] key = getKeyBytesWithLength(keySize);
- if (encrypt) {
- return handler.encryptRaw(toProc, key, KerbyGssTokenV1.KG_USAGE_SEAL);
- } else {
- return handler.decryptRaw(toProc, key, KerbyGssTokenV1.KG_USAGE_SEAL);
- }
- } catch (KrbException e) {
- throw new GSSException(GSSException.FAILURE, -1,
- "Exception in encrypt data sealAlg = " + sealAlg + " : " + e.getMessage());
- }
- }
-}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8432c1a8/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssTokenBase.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssTokenBase.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssTokenBase.java
deleted file mode 100644
index ae5122f..0000000
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssTokenBase.java
+++ /dev/null
@@ -1,59 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.kerberos.kerb.gssapi.krb5;
-
-
-public abstract class KerbyGssTokenBase {
- public static final int TOKEN_WRAP_V1 = 0x201;
- public static final int TOKEN_MIC_V1 = 0x101;
- public static final int TOKEN_WRAP_V2 = 0x504;
- public static final int TOKEN_MIC_V2 = 0x404;
-
- public void writeBigEndian(byte[] buf, int offset, int value) {
- buf[offset] = (byte) (value >>> 24);
- buf[offset + 1] = (byte) (value >>> 16);
- buf[offset + 2] = (byte) (value >>> 8);
- buf[offset + 3] = (byte) (value);
- }
-
- public int readBigEndian(byte[] buf, int offset) {
- int value = 0;
- value += (buf[offset] & 0xFF) << 24;
- value += (buf[offset + 1] & 0xFF) << 16;
- value += (buf[offset + 2] & 0xFF) << 8;
- value += buf[offset + 3] & 0xFF;
- return value;
- }
-
- /**
- *
- * @param buf
- * @param offset
- * @param len should not be larger than sizeof(int)
- * @return
- */
- public int readBigEndian(byte[] buf, int offset, int len) {
- int value = 0;
- for (int i = 0; i < len; i++) {
- value += (buf[offset + i] & 0xFF) << 8;
- }
- return value;
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8432c1a8/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssTokenV1.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssTokenV1.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssTokenV1.java
deleted file mode 100644
index 6b1a2c7..0000000
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssTokenV1.java
+++ /dev/null
@@ -1,319 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.kerberos.kerb.gssapi.krb5;
-
-
-import org.ietf.jgss.GSSException;
-import org.ietf.jgss.MessageProp;
-import sun.security.jgss.GSSHeader;
-import sun.security.util.ObjectIdentifier;
-
-import java.io.ByteArrayInputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
-import java.security.MessageDigest;
-
-/**
- * This class implements the token formats defined in RFC 1964 and its updates
- *
- * The GSS Wrap token has the following format:
- *
- * Byte no Name Description
- * 0..1 TOK_ID 0201
- *
- * 2..3 SGN_ALG Checksum algorithm indicator.
- * 00 00 DES MAC MD5
- * 01 00 MD2.5
- * 02 00 DES MAC
- * 04 00 HMAC SHA1 DES3-KD
- * 11 00 RC4-HMAC used by Microsoft Windows, RFC 4757
- * 4..5 SEAL_ALG ff ff none
- * 00 00 DES
- * 02 00 DES3-KD
- * 10 00 RC4-HMAC
- * 6..7 Filler FF FF
- * 8..15 SND_SEQ Encrypted sequence number field.
- * 16..23 SNG_CKSUM Checksum of plaintext padded data,
- * calculated according to algorithm
- * specified in SGN_ALG field.
- * 24.. Data Encrypted or plaintext padded data
- *
- *
- *
- * Use of the GSS MIC token has the following format:
-
- * Byte no Name Description
- * 0..1 TOK_ID 0101
- * 2..3 SGN_ALG Integrity algorithm indicator.
- * 4..7 Filler Contains ff ff ff ff
- * 8..15 SND_SEQ Sequence number field.
- * 16..23 SGN_CKSUM Checksum of "to-be-signed data",
- * calculated according to algorithm
- * specified in SGN_ALG field.
- *
- */
-abstract class KerbyGssTokenV1 extends KerbyGssTokenBase {
- // SGN ALG
- public static final int SGN_ALG_DES_MAC_MD5 = 0;
- public static final int SGN_ALG_MD25 = 0x0100;
- public static final int SGN_ALG_DES_MAC = 0x0200;
- public static final int SGN_ALG_HMAC_SHA1_DES3_KD = 0x0400;
- public static final int SGN_ALG_RC4_HMAC = 0x1100;
-
- // SEAL ALG
- public static final int SEAL_ALG_NONE = 0xFFFF;
- public static final int SEAL_ALG_DES = 0x0; // "DES/CBC/NoPadding"
- public static final int SEAL_ALG_DES3_KD = 0x0200;
- public static final int SEAL_ALG_RC4_HMAC = 0x1000;
-
- public static final int KG_USAGE_SEAL = 22;
- public static final int KG_USAGE_SIGN = 23;
- public static final int KG_USAGE_SEQ = 24;
- public static final int KG_USAGE_MS_SIGN = 15;
-
- private boolean isInitiator;
- private boolean confState;
- private int sequenceNumber;
-
- protected KerbyGssEncryptor encryptor;
-
- private GSSHeader gssHeader;
-
- public static final int TOKEN_HEADER_COMM_SIZE = 8;
- public static final int TOKEN_HEADER_SEQ_SIZE = 8;
-
- // Token commHeader data
- private int tokenType;
- private byte[] commHeader = new byte[TOKEN_HEADER_COMM_SIZE];
- private int sgnAlg;
- private int sealAlg;
-
- private byte[] plainSequenceBytes;
- private byte[] encryptedSequenceNumber = new byte[TOKEN_HEADER_SEQ_SIZE];
- private byte[] checkSum;
- private int checkSumSize;
-
- protected int reconHeaderLen; // only used for certain reason
-
- public static ObjectIdentifier objId;
-
- static {
- try {
- objId = new ObjectIdentifier("1.2.840.113554.1.2.2");
- } catch (IOException ioe) { // NOPMD
- }
- }
-
- protected int getTokenHeaderSize() {
- return TOKEN_HEADER_COMM_SIZE + TOKEN_HEADER_SEQ_SIZE + checkSumSize;
- }
-
- protected byte[] getPlainSequenceBytes() {
- byte[] ret = new byte[4];
- ret[0] = plainSequenceBytes[0];
- ret[1] = plainSequenceBytes[1];
- ret[2] = plainSequenceBytes[2];
- ret[3] = plainSequenceBytes[3];
- return ret;
- }
-
- // Generate a new token
- KerbyGssTokenV1(int tokenType, KerbyContext context) throws GSSException {
- initialize(tokenType, context, false);
- createTokenHeader();
- }
-
- // Reconstruct a token
- KerbyGssTokenV1(int tokenType, KerbyContext context, MessageProp prop,
- byte[] token, int offset, int size) throws GSSException {
- int proxLen = size > 64 ? 64 : size;
- InputStream is = new ByteArrayInputStream(token, offset, proxLen);
- reconstructInitializaion(tokenType, context, prop, is);
- reconHeaderLen = gssHeader.getLength() + getTokenHeaderSize();
- }
-
- // Reconstruct a token
- KerbyGssTokenV1(int tokenType, KerbyContext context, MessageProp prop, InputStream is) throws GSSException {
- reconstructInitializaion(tokenType, context, prop, is);
- }
-
- private void reconstructInitializaion(int tokenType, KerbyContext context, MessageProp prop, InputStream is)
- throws GSSException {
- initialize(tokenType, context, true);
- if (!confState) {
- prop.setPrivacy(false);
- }
-
- try {
- gssHeader = new GSSHeader(is);
- } catch (IOException e) {
- throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid token:" + e.getMessage());
- }
-
- if (!gssHeader.getOid().equals((Object) objId)) {
- throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid token OID");
- }
-
- reconstructTokenHeader(is, prop);
- }
-
- private void initialize(int tokenType,
- KerbyContext context,
- boolean reconstruct) throws GSSException {
- this.tokenType = tokenType;
- this.isInitiator = context.isInitiator();
- this.confState = context.getConfState();
- this.encryptor = context.getGssEncryptor();
- this.checkSumSize = encryptor.getCheckSumSize();
- if (!reconstruct) {
- this.sequenceNumber = context.incMySequenceNumber();
- } else {
- checkSum = new byte[checkSumSize];
- }
- }
-
- protected void calcPrivacyInfo(MessageProp prop, byte[] confounder, byte[] data,
- int dataOffset, int dataLength, int paddingLen) throws GSSException {
- prop.setQOP(0);
- if (!confState) {
- prop.setPrivacy(false);
- }
-
- checkSum = calcCheckSum(confounder, commHeader, data, dataOffset, dataLength, paddingLen);
- encryptSequenceNumber();
- }
-
- protected void verifyToken(byte[] confounder, byte[] data, int dataOffset, int dataLength, int paddingLen)
- throws GSSException {
- byte[] sum = calcCheckSum(confounder, commHeader, data, dataOffset, dataLength, paddingLen);
- if (!MessageDigest.isEqual(checkSum, sum)) {
- throw new GSSException(GSSException.BAD_MIC, -1,
- "Corrupt token checksum for " + (tokenType == TOKEN_MIC_V1 ? "Mic" : "Wrap") + "TokenV1");
- }
- }
-
- private byte[] calcCheckSum(byte[] confounder, byte[] header, byte[] data,
- int dataOffset, int dataLength, int paddingLen) throws GSSException {
- return encryptor.calculateCheckSum(confounder, header, data, dataOffset, dataLength, paddingLen,
- tokenType == TOKEN_MIC_V1);
- }
-
- private void encryptSequenceNumber() throws GSSException {
- plainSequenceBytes = new byte[8];
- if (encryptor.isArcFourHmac()) {
- writeBigEndian(plainSequenceBytes, 0, sequenceNumber);
- } else {
- plainSequenceBytes[0] = (byte) sequenceNumber;
- plainSequenceBytes[1] = (byte) (sequenceNumber >>> 8);
- plainSequenceBytes[2] = (byte) (sequenceNumber >>> 16);
- plainSequenceBytes[3] = (byte) (sequenceNumber >>> 24);
- }
-
- // Hex 0 - sender is the context initiator, Hex FF - sender is the context acceptor
- if (!isInitiator) {
- plainSequenceBytes[4] = (byte) 0xFF;
- plainSequenceBytes[5] = (byte) 0xFF;
- plainSequenceBytes[6] = (byte) 0xFF;
- plainSequenceBytes[7] = (byte) 0xFF;
- }
-
- encryptedSequenceNumber = encryptor.encryptSequenceNumber(plainSequenceBytes, checkSum, true);
- }
-
- public void encodeHeader(OutputStream os) throws GSSException, IOException {
- // | GSSHeader | TokenHeader |
- GSSHeader gssHeader = new GSSHeader(objId, getTokenSizeWithoutGssHeader());
- gssHeader.encode(os);
- os.write(commHeader);
- os.write(encryptedSequenceNumber);
- os.write(checkSum);
- }
-
- private void createTokenHeader() {
- commHeader[0] = (byte) (tokenType >>> 8);
- commHeader[1] = (byte) tokenType;
-
- sgnAlg = encryptor.getSgnAlg();
- commHeader[2] = (byte) (sgnAlg >>> 8);
- commHeader[3] = (byte) sgnAlg;
-
- if (tokenType == TOKEN_WRAP_V1) {
- sealAlg = encryptor.getSealAlg();
- commHeader[4] = (byte) (sealAlg >>> 8);
- commHeader[5] = (byte) sealAlg;
- } else {
- commHeader[4] = (byte) 0xFF;
- commHeader[5] = (byte) 0xFF;
- }
-
- commHeader[6] = (byte) 0xFF;
- commHeader[7] = (byte) 0xFF;
- }
-
- // Re-construct token commHeader
- private void reconstructTokenHeader(InputStream is, MessageProp prop) throws GSSException {
- try {
- if (is.read(commHeader) != commHeader.length
- || is.read(encryptedSequenceNumber) != encryptedSequenceNumber.length
- || is.read(checkSum) != checkSum.length) {
- throw new GSSException(GSSException.FAILURE, -1,
- "Insufficient in reconstruct token header");
- }
- initTokenHeader(commHeader, prop);
-
- plainSequenceBytes = encryptor.encryptSequenceNumber(encryptedSequenceNumber, checkSum, false);
- byte dirc = isInitiator ? (byte) 0xFF : 0;
- // Hex 0 - sender is the context initiator, Hex FF - sender is the context acceptor
- if (!(plainSequenceBytes[4] == dirc && plainSequenceBytes[5] == dirc
- && plainSequenceBytes[6] == dirc && plainSequenceBytes[7] == dirc)) {
- throw new GSSException(GSSException.BAD_MIC, -1,
- "Corrupt token sequence for " + (tokenType == TOKEN_MIC_V1 ? "Mic" : "Wrap") + "TokenV1");
- }
- } catch (IOException e) {
- throw new GSSException(GSSException.FAILURE, -1,
- "Error in reconstruct token header:" + e.getMessage());
- }
- }
-
- private void initTokenHeader(byte[] tokenBytes, MessageProp prop) throws GSSException {
- int tokenIDRecv = (((int) tokenBytes[0]) << 8) + tokenBytes[1];
- if (tokenType != tokenIDRecv) {
- throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1,
- "Token ID should be " + tokenType + " instead of " + tokenIDRecv);
- }
-
- sgnAlg = (((int) tokenBytes[2]) << 8) + tokenBytes[3];
- sealAlg = (((int) tokenBytes[4]) << 8) + tokenBytes[5];
-
- if (tokenBytes[6] != (byte) 0xFF || tokenBytes[7] != (byte) 0xFF) {
- throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid token head filler");
- }
-
- prop.setQOP(0);
- prop.setPrivacy(sealAlg != SEAL_ALG_NONE);
- }
-
- protected GSSHeader getGssHeader() {
- return gssHeader;
- }
-
- abstract int getTokenSizeWithoutGssHeader();
-}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8432c1a8/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssTokenV2.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssTokenV2.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssTokenV2.java
deleted file mode 100644
index f2d220a..0000000
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssTokenV2.java
+++ /dev/null
@@ -1,282 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.kerberos.kerb.gssapi.krb5;
-
-import org.ietf.jgss.GSSException;
-import org.ietf.jgss.MessageProp;
-
-import java.io.ByteArrayInputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
-import java.security.MessageDigest;
-
-/**
- * This class implements the token formats defined in RFC 4121.
- */
-abstract class KerbyGssTokenV2 extends KerbyGssTokenBase {
- public static final int CONFOUNDER_SIZE = 16;
- public static final int TOKEN_HEADER_SIZE = 16;
- private static final int OFFSET_EC = 4;
- private static final int OFFSET_RRC = 6;
-
- // context states
- private boolean isInitiator = true;
- private boolean acceptorSubKey = false;
- private boolean confState = true;
- private int sequenceNumber;
-
- // token data
- protected int tokenType;
- private byte[] header = new byte[TOKEN_HEADER_SIZE];
- protected byte[] tokenData;
-
- protected byte[] checkSum;
- private int ec;
- private int rrc;
-
- static final int KG_USAGE_ACCEPTOR_SEAL = 22;
- static final int KG_USAGE_ACCEPTOR_SIGN = 23;
- static final int KG_USAGE_INITIATOR_SEAL = 24;
- static final int KG_USAGE_INITIATOR_SIGN = 25;
- private int keyUsage;
-
- private static final int FLAG_SENT_BY_ACCEPTOR = 1;
- private static final int FLAG_SEALED = 2;
- private static final int FLAG_ACCEPTOR_SUBKEY = 4;
-
- protected KerbyGssEncryptor encryptor;
-
-
- // Create a new token
- KerbyGssTokenV2(int tokenType, KerbyContext context) throws GSSException {
- initialize(tokenType, context, false);
- }
-
- private void initialize(int tokenType, KerbyContext context, boolean reconstruct) throws GSSException {
- this.tokenType = tokenType;
- this.isInitiator = context.isInitiator();
- this.acceptorSubKey = context.getKeyComesFrom() == KerbyContext.ACCEPTOR_SUBKEY;
- this.confState = context.getConfState();
-
- boolean usageFlag = reconstruct ? !this.isInitiator : this.isInitiator;
- if (tokenType == TOKEN_WRAP_V2) {
- keyUsage = usageFlag ? KG_USAGE_INITIATOR_SEAL : KG_USAGE_ACCEPTOR_SEAL;
- } else if (tokenType == TOKEN_MIC_V2) {
- keyUsage = usageFlag ? KG_USAGE_INITIATOR_SIGN : KG_USAGE_ACCEPTOR_SIGN;
- }
-
- encryptor = context.getGssEncryptor();
-
- if (!reconstruct) {
- this.sequenceNumber = context.incMySequenceNumber();
- }
- }
-
- // Reconstruct token from bytes received
- KerbyGssTokenV2(int tokenType, KerbyContext context,
- MessageProp prop, byte[] token, int offset, int len) throws GSSException {
- this(tokenType, context, prop, new ByteArrayInputStream(token, offset, len));
- }
-
- // Reconstruct token from input stream
- KerbyGssTokenV2(int tokenType, KerbyContext context,
- MessageProp prop, InputStream is) throws GSSException {
- initialize(tokenType, context, true);
-
- if (!confState) {
- prop.setPrivacy(false);
- }
-
- reconstructTokenHeader(prop, is);
-
- int minSize;
- if (tokenType == TOKEN_WRAP_V2 && prop.getPrivacy()) {
- minSize = CONFOUNDER_SIZE + TOKEN_HEADER_SIZE + encryptor.getCheckSumSize();
- } else {
- minSize = encryptor.getCheckSumSize();
- }
-
- try {
- int tokenLen = is.available();
-
- if (tokenType == TOKEN_MIC_V2) {
- tokenLen = minSize;
- tokenData = new byte[tokenLen];
- is.read(tokenData);
- } else {
- if (tokenLen >= minSize) {
- tokenData = new byte[tokenLen];
- is.read(tokenData);
- } else {
- throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid token length");
- }
- }
-
- if (tokenType == TOKEN_WRAP_V2) {
- tokenData = rotate(tokenData);
- }
-
- if (tokenType == TOKEN_MIC_V2
- || tokenType == TOKEN_WRAP_V2 && !prop.getPrivacy()) {
- int checksumLen = encryptor.getCheckSumSize();
-
- if (tokenType != TOKEN_MIC_V2 && checksumLen != ec) {
- throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid EC");
- }
-
- checkSum = new byte[checksumLen];
- System.arraycopy(tokenData, tokenLen - checksumLen, checkSum, 0, checksumLen);
- }
- } catch (IOException e) {
- throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid token");
- }
- }
-
- private byte[] rotate(byte[] data) {
- int dataLen = data.length;
- if (rrc % dataLen != 0) {
- rrc = rrc % dataLen;
- byte[] newBytes = new byte[dataLen];
-
- System.arraycopy(data, rrc, newBytes, 0, dataLen - rrc);
- System.arraycopy(data, 0, newBytes, dataLen - rrc, rrc);
- data = newBytes;
- }
- return data;
- }
-
- public int getKeyUsage() {
- return keyUsage;
- }
-
- public void generateCheckSum(MessageProp prop, byte[] data, int offset, int len) throws GSSException {
- // generate token header
- createTokenHeader(prop.getPrivacy());
-
- if (tokenType == TOKEN_MIC_V2
- || !prop.getPrivacy() && tokenType == TOKEN_WRAP_V2) {
- checkSum = getCheckSum(data, offset, len);
- }
-
- if (!prop.getPrivacy() && tokenType == TOKEN_WRAP_V2) {
- header[4] = (byte) (checkSum.length >>> 8);
- header[5] = (byte) (checkSum.length & 0xFF);
- }
- }
-
- public byte[] getCheckSum(byte[] data, int offset, int len) throws GSSException {
- int confidentialFlag = header[2] & 2;
- if (confidentialFlag == 0 && tokenType == TOKEN_WRAP_V2) {
- header[4] = 0;
- header[5] = 0;
- header[6] = 0;
- header[7] = 0;
- }
- return encryptor.calculateCheckSum(header, data, offset, len, keyUsage);
- }
-
- public boolean verifyCheckSum(byte[] data, int offset, int len) throws GSSException {
- byte[] dataCheckSum = getCheckSum(data, offset, len);
- return MessageDigest.isEqual(checkSum, dataCheckSum);
- }
-
- // Create a new header
- private void createTokenHeader(boolean privacy) {
- header[0] = (byte) (tokenType >>> 8);
- header[1] = (byte) tokenType;
-
- int flags = isInitiator ? 0 : FLAG_SENT_BY_ACCEPTOR;
- flags |= privacy && tokenType != TOKEN_MIC_V2 ? FLAG_SEALED : 0;
- flags |= acceptorSubKey ? FLAG_ACCEPTOR_SUBKEY : 0;
-
- header[2] = (byte) (flags & 0xFF);
- header[3] = (byte) 0xFF;
-
- if (tokenType == TOKEN_WRAP_V2) {
- header[4] = (byte) 0;
- header[5] = (byte) 0;
- header[6] = (byte) 0;
- header[7] = (byte) 0;
- } else if (tokenType == TOKEN_MIC_V2) {
- header[4] = (byte) 0xFF;
- header[5] = (byte) 0xFF;
- header[6] = (byte) 0xFF;
- header[7] = (byte) 0xFF;
- }
- writeBigEndian(header, 12, sequenceNumber);
- }
-
- // Reconstruct a token header
- private void reconstructTokenHeader(MessageProp prop, InputStream is) throws GSSException {
- try {
- if (is.read(header, 0, header.length) != header.length) {
- throw new GSSException(GSSException.FAILURE, -1, "Token header can not be read");
- }
- int tokenIDRecv = (((int) header[0]) << 8) + header[1];
- if (tokenIDRecv != tokenType) {
- throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1,
- "Token ID should be " + tokenType + " instead of " + tokenIDRecv);
- }
-
- int senderFlag = isInitiator ? FLAG_SENT_BY_ACCEPTOR : 0;
- int senderFlagRecv = header[2] & FLAG_SENT_BY_ACCEPTOR;
- if (senderFlagRecv != senderFlag) {
- throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid acceptor flag");
- }
-
- int confFlagRecv = header[2] & FLAG_SEALED;
- if (confFlagRecv == FLAG_SEALED && tokenType == TOKEN_WRAP_V2) {
- prop.setPrivacy(true);
- } else {
- prop.setPrivacy(false);
- }
-
- if (tokenType == TOKEN_WRAP_V2) {
- if (header[3] != (byte) 0xFF) {
- throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid token filler");
- }
-
- ec = readBigEndian(header, OFFSET_EC, 2);
- rrc = readBigEndian(header, OFFSET_RRC, 2);
- } else if (tokenType == TOKEN_MIC_V2) {
- for (int i = 3; i < 8; i++) {
- if ((header[i] & 0xFF) != 0xFF) {
- throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid token filler");
- }
- }
- }
-
- prop.setQOP(0);
- sequenceNumber = readBigEndian(header, 0, 8);
- } catch (IOException e) {
- throw new GSSException(GSSException.FAILURE, -1, "Phrase token header failed");
- }
- }
-
- public int encodeHeader(byte[] buf, int offset) {
- System.arraycopy(header, 0, buf, offset, TOKEN_HEADER_SIZE);
- return TOKEN_HEADER_SIZE;
- }
-
- public void encodeHeader(OutputStream os) throws IOException {
- os.write(header);
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8432c1a8/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyInitCred.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyInitCred.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyInitCred.java
deleted file mode 100644
index d04f915..0000000
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyInitCred.java
+++ /dev/null
@@ -1,53 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.kerberos.kerb.gssapi.krb5;
-
-import org.ietf.jgss.GSSException;
-import sun.security.jgss.GSSCaller;
-
-import javax.security.auth.kerberos.KerberosTicket;
-
-public final class KerbyInitCred extends KerbyCredElement {
-
- public KerberosTicket ticket;
-
- private KerbyInitCred(GSSCaller caller, KerbyNameElement name, KerberosTicket ticket, int lifeTime) {
- super(caller, name);
- this.ticket = ticket;
- this.initLifeTime = lifeTime;
- }
-
- public static KerbyInitCred getInstance(GSSCaller caller, KerbyNameElement name, int lifeTime) throws GSSException {
- KerberosTicket ticket = CredUtils.getKerberosTicketFromContext(caller, name.getPrincipalName().getName(), null);
- return new KerbyInitCred(caller, name, ticket, lifeTime);
- }
-
- public boolean isInitiatorCredential() throws GSSException {
- return true;
- }
-
- public boolean isAcceptorCredential() throws GSSException {
- return false;
- }
-
- public KerberosTicket getKerberosTicket() {
- return ticket;
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8432c1a8/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyNameElement.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyNameElement.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyNameElement.java
deleted file mode 100644
index 9c93143..0000000
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyNameElement.java
+++ /dev/null
@@ -1,134 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.kerberos.kerb.gssapi.krb5;
-
-import org.apache.kerby.kerberos.kerb.gssapi.KerbyMechFactory;
-import org.apache.kerby.kerberos.kerb.type.base.NameType;
-import org.apache.kerby.kerberos.kerb.type.base.PrincipalName;
-import org.ietf.jgss.GSSException;
-import org.ietf.jgss.GSSName;
-import org.ietf.jgss.Oid;
-import sun.security.jgss.spi.GSSNameSpi;
-import java.io.UnsupportedEncodingException;
-import java.security.Provider;
-
-public class KerbyNameElement implements GSSNameSpi {
-
- private PrincipalName principalName;
- private Oid nameType = null;
-
- KerbyNameElement(PrincipalName principalName,
- Oid nameType) {
- this.principalName = principalName;
- this.nameType = nameType;
- }
-
- public PrincipalName toKerbyPrincipalName(sun.security.krb5.PrincipalName name) {
- return new PrincipalName(name.getNameString(), toKerbyNameType(name.getNameType()));
- }
-
- private NameType toKerbyNameType(int intNameType) {
- return NameType.fromValue(intNameType);
- }
-
- public static NameType toKerbyNameType(Oid nameType) throws GSSException {
- NameType kerbyNameType;
-
- if (nameType == null) {
- throw new GSSException(GSSException.BAD_NAMETYPE);
- }
-
- if (nameType.equals(GSSName.NT_EXPORT_NAME) || nameType.equals(GSSName.NT_USER_NAME)) {
- kerbyNameType = NameType.NT_PRINCIPAL;
- } else if (nameType.equals(GSSName.NT_HOSTBASED_SERVICE)) {
- kerbyNameType = NameType.NT_SRV_HST;
- } else {
- throw new GSSException(GSSException.BAD_NAMETYPE, 0, "Unsupported Oid name type");
- }
- return kerbyNameType;
- }
-
- public static KerbyNameElement getInstance(String name, Oid oidNameType)
- throws GSSException {
- PrincipalName principalName = new PrincipalName(name, toKerbyNameType(oidNameType));
- return new KerbyNameElement(principalName, oidNameType);
- }
-
- public Provider getProvider() {
- return new org.apache.kerby.kerberos.kerb.gssapi.Provider();
- }
-
- public boolean equals(GSSNameSpi name) throws GSSException {
- if (name == null || name.isAnonymousName() || isAnonymousName()) {
- return false;
- }
- return this.toString().equals(name.toString()) && this.getStringNameType().equals(name.getStringNameType());
- }
-
- public final PrincipalName getPrincipalName() {
- return principalName;
- }
-
- public boolean equals(Object another) {
- if (another == null) {
- return false;
- }
-
- try {
- if (another instanceof GSSNameSpi) {
- return equals((GSSNameSpi) another);
- }
- } catch (GSSException e) {
- return false;
- }
-
- return false;
- }
-
- public int hashCode() {
- return principalName.hashCode();
- }
-
- public byte[] export() throws GSSException {
- byte[] retVal;
- try {
- retVal = principalName.getName().getBytes("UTF-8");
- } catch (UnsupportedEncodingException e) {
- throw new GSSException(GSSException.BAD_NAME, -1, e.getMessage());
- }
- return retVal;
- }
-
- public Oid getMechanism() {
- return KerbyMechFactory.getOid();
- }
-
- public String toString() {
- return principalName.toString();
- }
-
- public Oid getStringNameType() {
- return nameType;
- }
-
- public boolean isAnonymousName() {
- return nameType.equals(GSSName.NT_ANONYMOUS);
- }
-}
[06/50] [abbrv] directory-kerby git commit: DIRKRB-557 KDC backend
connect to the zookeeper cluster.
Posted by co...@apache.org.
DIRKRB-557 KDC backend connect to the zookeeper cluster.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/fe4f0b81
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/fe4f0b81
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/fe4f0b81
Branch: refs/heads/gssapi
Commit: fe4f0b817a21b9ffbf2e7714b00e5d41be0069b5
Parents: 2dde1f7
Author: plusplusjiajia <ji...@intel.com>
Authored: Fri Apr 22 15:43:14 2016 +0800
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 12:25:02 2017 +0100
----------------------------------------------------------------------
.../kerberos/kdc/identitybackend/ZKConfKey.java | 6 ++--
.../ZookeeperIdentityBackend.java | 36 ++++++--------------
.../identity/backend/ZookeeperBackendTest.java | 26 ++++++++++----
kerby-dist/kdc-dist/conf/backend.conf | 6 ++--
.../kerberos/kdc/ZookeeperBackendKdcTest.java | 27 ++-------------
5 files changed, 41 insertions(+), 60 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/fe4f0b81/kerby-backend/zookeeper-backend/src/main/java/org/apache/kerby/kerberos/kdc/identitybackend/ZKConfKey.java
----------------------------------------------------------------------
diff --git a/kerby-backend/zookeeper-backend/src/main/java/org/apache/kerby/kerberos/kdc/identitybackend/ZKConfKey.java b/kerby-backend/zookeeper-backend/src/main/java/org/apache/kerby/kerberos/kdc/identitybackend/ZKConfKey.java
index 96f5ced..b82b1a0 100644
--- a/kerby-backend/zookeeper-backend/src/main/java/org/apache/kerby/kerberos/kdc/identitybackend/ZKConfKey.java
+++ b/kerby-backend/zookeeper-backend/src/main/java/org/apache/kerby/kerberos/kdc/identitybackend/ZKConfKey.java
@@ -25,10 +25,10 @@ import org.apache.kerby.config.ConfigKey;
* Define all the ZK backend related configuration items with default values.
*/
public enum ZKConfKey implements ConfigKey {
+ EMBEDDED_ZK(true),
ZK_HOST("127.0.0.1"),
- ZK_PORT(2181),
- DATA_DIR,
- DATA_LOG_DIR;
+ ZK_PORT(2180),
+ DATA_DIR("/tmp/kerby/zookeeper/data");
private Object defaultValue;
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/fe4f0b81/kerby-backend/zookeeper-backend/src/main/java/org/apache/kerby/kerberos/kdc/identitybackend/ZookeeperIdentityBackend.java
----------------------------------------------------------------------
diff --git a/kerby-backend/zookeeper-backend/src/main/java/org/apache/kerby/kerberos/kdc/identitybackend/ZookeeperIdentityBackend.java b/kerby-backend/zookeeper-backend/src/main/java/org/apache/kerby/kerberos/kdc/identitybackend/ZookeeperIdentityBackend.java
index 95d14a5..810b271 100644
--- a/kerby-backend/zookeeper-backend/src/main/java/org/apache/kerby/kerberos/kdc/identitybackend/ZookeeperIdentityBackend.java
+++ b/kerby-backend/zookeeper-backend/src/main/java/org/apache/kerby/kerberos/kdc/identitybackend/ZookeeperIdentityBackend.java
@@ -51,7 +51,6 @@ public class ZookeeperIdentityBackend extends AbstractIdentityBackend {
private String zkHost;
private int zkPort;
private File dataDir;
- private File dataLogDir;
private ZooKeeper zooKeeper;
private static final Logger LOG = LoggerFactory.getLogger(ZookeeperIdentityBackend.class);
@@ -111,19 +110,9 @@ public class ZookeeperIdentityBackend extends AbstractIdentityBackend {
LOG.info("Data dir: " + dataDir);
- String dataLogDirString = getConfig().getString(ZKConfKey.DATA_LOG_DIR, true);
- if (dataLogDirString == null || dataLogDirString.isEmpty()) {
- File zooKeeperDir = new File(getBackendConfig().getConfDir(), "zookeeper");
- dataLogDir = new File(zooKeeperDir, "datalog");
- } else {
- dataLogDir = new File(dataLogDirString);
- }
-
- if (!dataLogDir.exists() && !dataLogDir.mkdirs()) {
- throw new KrbException("could not create data log file dir " + dataLogDir);
+ if (getConfig().getBoolean(ZKConfKey.EMBEDDED_ZK, true)) {
+ startEmbeddedZookeeper();
}
-
- startEmbeddedZookeeper();
connectZK();
}
@@ -132,7 +121,8 @@ public class ZookeeperIdentityBackend extends AbstractIdentityBackend {
*/
private void connectZK() throws KrbException {
try {
- zooKeeper = new ZooKeeper(zkHost, 10000, null);
+ String serverStr = zkHost + ":" + zkPort;
+ zooKeeper = new ZooKeeper(serverStr, 10000, new MyWatcher());
while (true) {
if (!zooKeeper.getState().isConnected()) {
try {
@@ -158,7 +148,6 @@ public class ZookeeperIdentityBackend extends AbstractIdentityBackend {
private void startEmbeddedZookeeper() throws KrbException {
Properties startupProperties = new Properties();
startupProperties.put("dataDir", dataDir.getAbsolutePath());
- startupProperties.put("dataLogDir", dataLogDir.getAbsolutePath());
startupProperties.put("clientPort", zkPort);
QuorumPeerConfig quorumConfiguration = new QuorumPeerConfig();
@@ -188,14 +177,6 @@ public class ZookeeperIdentityBackend extends AbstractIdentityBackend {
}
/**
- * This will watch all the kdb update event so that it's timely synced.
- * @param event The kdb update event ot watch.
- */
- private void process(WatchedEvent event) {
- System.out.print("I got an event: " + event);
- }
-
- /**
* {@inheritDoc}
*/
@Override
@@ -323,9 +304,14 @@ public class ZookeeperIdentityBackend extends AbstractIdentityBackend {
}
class MyWatcher implements Watcher {
- @Override
+
+ /**
+ * This will watch all the kdb update event so that it's timely synced.
+ * @param event The kdb update event ot watch.
+ */
public void process(WatchedEvent event) {
- ZookeeperIdentityBackend.this.process(event);
+// System.out.println("I got an event: " + event.getPath());
}
+
}
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/fe4f0b81/kerby-backend/zookeeper-backend/src/test/java/org/apache/kerby/kerberos/kerb/identity/backend/ZookeeperBackendTest.java
----------------------------------------------------------------------
diff --git a/kerby-backend/zookeeper-backend/src/test/java/org/apache/kerby/kerberos/kerb/identity/backend/ZookeeperBackendTest.java b/kerby-backend/zookeeper-backend/src/test/java/org/apache/kerby/kerberos/kerb/identity/backend/ZookeeperBackendTest.java
index b5dab1d..8f34123 100644
--- a/kerby-backend/zookeeper-backend/src/test/java/org/apache/kerby/kerberos/kerb/identity/backend/ZookeeperBackendTest.java
+++ b/kerby-backend/zookeeper-backend/src/test/java/org/apache/kerby/kerberos/kerb/identity/backend/ZookeeperBackendTest.java
@@ -23,6 +23,7 @@ import org.apache.kerby.config.Conf;
import org.apache.kerby.kerberos.kdc.identitybackend.ZKConfKey;
import org.apache.kerby.kerberos.kdc.identitybackend.ZookeeperIdentityBackend;
import org.apache.kerby.kerberos.kerb.KrbException;
+import org.junit.AfterClass;
import org.junit.BeforeClass;
import java.io.File;
@@ -31,22 +32,35 @@ import java.io.File;
* Zookeeper backend test
*/
public class ZookeeperBackendTest extends BackendTestBase {
+ private static File instanceDir;
+ private static File dataDir;
+
@BeforeClass
public static void setup() throws KrbException {
Conf config = new Conf();
-
File testdir = new File(System.getProperty("test.dir", "target"));
- File instanceDir = new File(testdir, "zookeeper");
+ instanceDir = new File(testdir, "zookeeper");
instanceDir.mkdirs();
- File dataDir = new File(instanceDir, "data");
+ dataDir = new File(instanceDir, "data");
dataDir.mkdirs();
config.setString(ZKConfKey.DATA_DIR.getPropertyKey(), dataDir.getAbsolutePath());
- File dataLogDir = new File(instanceDir, "log");
- dataLogDir.mkdirs();
- config.setString(ZKConfKey.DATA_LOG_DIR.getPropertyKey(), dataLogDir.getAbsolutePath());
backend = new ZookeeperIdentityBackend(config);
backend.initialize();
backend.start();
}
+
+ @AfterClass
+ public static void tearDown() throws KrbException {
+ if (dataDir.exists()) {
+ dataDir.delete();
+ }
+ if (instanceDir.exists()) {
+ instanceDir.delete();
+ }
+ if (backend != null) {
+ backend.stop();
+ backend.release();
+ }
+ }
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/fe4f0b81/kerby-dist/kdc-dist/conf/backend.conf
----------------------------------------------------------------------
diff --git a/kerby-dist/kdc-dist/conf/backend.conf b/kerby-dist/kdc-dist/conf/backend.conf
index 28c2632..2ead268 100644
--- a/kerby-dist/kdc-dist/conf/backend.conf
+++ b/kerby-dist/kdc-dist/conf/backend.conf
@@ -18,5 +18,7 @@
kdc_identity_backend = org.apache.kerby.kerberos.kdc.identitybackend.JsonIdentityBackend
backend.json.dir = /tmp/kerby/jsonbackend
-data_dir = /tmp/kerby/zookeeper/data
-data_log_dir = /tmp/kerby/zookeeper/datalog
+embedded_zk = false
+zk_host = 127.0.0.1
+zk_port = 2181
+data_dir = /tmp/zookeeper/data
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/fe4f0b81/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/ZookeeperBackendKdcTest.java
----------------------------------------------------------------------
diff --git a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/ZookeeperBackendKdcTest.java b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/ZookeeperBackendKdcTest.java
index bface94..f0634e7 100644
--- a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/ZookeeperBackendKdcTest.java
+++ b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/ZookeeperBackendKdcTest.java
@@ -23,43 +23,22 @@ import org.apache.kerby.kerberos.kdc.identitybackend.ZKConfKey;
import org.apache.kerby.kerberos.kerb.KrbException;
import org.apache.kerby.kerberos.kerb.identity.backend.BackendConfig;
import org.apache.kerby.kerberos.kerb.server.KdcConfigKey;
-import org.junit.AfterClass;
import org.junit.Test;
import java.io.File;
public class ZookeeperBackendKdcTest extends KerbyKdcTest {
- private static File instanceDir;
- private static File dataDir;
- private static File dataLogDir;
-
- @AfterClass
- public static void rmJsonBackendFile() {
- if (instanceDir.exists()) {
- instanceDir.delete();
- }
- if (dataDir.exists()) {
- dataDir.delete();
- }
- if (dataLogDir.exists()) {
- dataLogDir.delete();
- }
- }
-
@Override
protected void prepareKdc() throws KrbException {
BackendConfig backendConfig = getKdcServer().getBackendConfig();
- File testDir = new File(System.getProperty("test.dir", "target"));
- instanceDir = new File(testDir, "zookeeper");
+ File testDir = getTestDir();
+ File instanceDir = new File(testDir, "zookeeper");
instanceDir.mkdirs();
- dataDir = new File(instanceDir, "data");
+ File dataDir = new File(instanceDir, "data");
dataDir.mkdirs();
backendConfig.setString(ZKConfKey.DATA_DIR.getPropertyKey(), dataDir.getAbsolutePath());
- dataLogDir = new File(instanceDir, "log");
- dataLogDir.mkdirs();
- backendConfig.setString(ZKConfKey.DATA_LOG_DIR.getPropertyKey(), dataLogDir.getAbsolutePath());
backendConfig.setString(KdcConfigKey.KDC_IDENTITY_BACKEND,
"org.apache.kerby.kerberos.kdc.identitybackend.ZookeeperIdentityBackend");
[46/50] [abbrv] directory-kerby git commit: Use readFully instead of
read for being more robust, according to Steve review
Posted by co...@apache.org.
Use readFully instead of read for being more robust, according to Steve review
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/f904cdab
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/f904cdab
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/f904cdab
Branch: refs/heads/gssapi
Commit: f904cdab36f64191911de54dac9735a1027e3351
Parents: 4f50e85
Author: Kai Zheng <ka...@intel.com>
Authored: Mon Jun 13 20:22:26 2016 +0800
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 12:25:51 2017 +0100
----------------------------------------------------------------------
.../main/java/org/apache/kerby/kerberos/kerb/KrbInputStream.java | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f904cdab/kerby-kerb/kerb-util/src/main/java/org/apache/kerby/kerberos/kerb/KrbInputStream.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-util/src/main/java/org/apache/kerby/kerberos/kerb/KrbInputStream.java b/kerby-kerb/kerb-util/src/main/java/org/apache/kerby/kerberos/kerb/KrbInputStream.java
index 9611fe0..1e0729d 100644
--- a/kerby-kerb/kerb-util/src/main/java/org/apache/kerby/kerberos/kerb/KrbInputStream.java
+++ b/kerby-kerb/kerb-util/src/main/java/org/apache/kerby/kerberos/kerb/KrbInputStream.java
@@ -73,9 +73,7 @@ public abstract class KrbInputStream extends DataInputStream {
}
byte[] data = new byte[len];
- if (read(data) == -1) {
- throw new IOException("Unexpected end of stream");
- }
+ readFully(data);
return data;
}
[43/50] [abbrv] directory-kerby git commit: A clean up for a
duplicate method
Posted by co...@apache.org.
A clean up for a duplicate method
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/62cf23d9
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/62cf23d9
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/62cf23d9
Branch: refs/heads/gssapi
Commit: 62cf23d920e8bc6b896945da89db55c88c7529e1
Parents: 34edd99
Author: Kai Zheng <ka...@intel.com>
Authored: Sun Jun 12 19:12:51 2016 +0800
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 12:25:51 2017 +0100
----------------------------------------------------------------------
.../apache/kerby/kerberos/kerb/keytab/KeytabInputStream.java | 6 ------
1 file changed, 6 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/62cf23d9/kerby-kerb/kerb-util/src/main/java/org/apache/kerby/kerberos/kerb/keytab/KeytabInputStream.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-util/src/main/java/org/apache/kerby/kerberos/kerb/keytab/KeytabInputStream.java b/kerby-kerb/kerb-util/src/main/java/org/apache/kerby/kerberos/kerb/keytab/KeytabInputStream.java
index f1ddeba..2e52b9c 100644
--- a/kerby-kerb/kerb-util/src/main/java/org/apache/kerby/kerberos/kerb/keytab/KeytabInputStream.java
+++ b/kerby-kerb/kerb-util/src/main/java/org/apache/kerby/kerberos/kerb/keytab/KeytabInputStream.java
@@ -74,12 +74,6 @@ public class KeytabInputStream extends KrbInputStream {
return key;
}
- public String readCountedString() throws IOException {
- byte[] countedOctets = readCountedOctets();
- // ASCII
- return new String(countedOctets, "ASCII");
- }
-
@Override
public int readOctetsCount() throws IOException {
return readShort();
[26/50] [abbrv] directory-kerby git commit: DIRKRB-585 - Allow for
optional expiry + NotBefore claims when processing a JWT token
Posted by co...@apache.org.
DIRKRB-585 - Allow for optional expiry + NotBefore claims when processing a JWT token
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/97c587fe
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/97c587fe
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/97c587fe
Branch: refs/heads/gssapi
Commit: 97c587fe5886208a12595e8416ed5994b5d4e83c
Parents: 653f176
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Wed Jun 15 17:09:28 2016 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 12:25:51 2017 +0100
----------------------------------------------------------------------
.../kerby/kerberos/provider/token/JwtTokenDecoder.java | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/97c587fe/kerby-provider/token-provider/src/main/java/org/apache/kerby/kerberos/provider/token/JwtTokenDecoder.java
----------------------------------------------------------------------
diff --git a/kerby-provider/token-provider/src/main/java/org/apache/kerby/kerberos/provider/token/JwtTokenDecoder.java b/kerby-provider/token-provider/src/main/java/org/apache/kerby/kerberos/provider/token/JwtTokenDecoder.java
index f4961e9..6d6e49e 100644
--- a/kerby-provider/token-provider/src/main/java/org/apache/kerby/kerberos/provider/token/JwtTokenDecoder.java
+++ b/kerby-provider/token-provider/src/main/java/org/apache/kerby/kerberos/provider/token/JwtTokenDecoder.java
@@ -269,17 +269,19 @@ public class JwtTokenDecoder implements TokenDecoder {
}
private boolean verifyExpiration(JWT jwtToken) throws IOException {
- boolean valid = false;
try {
Date expire = jwtToken.getJWTClaimsSet().getExpirationTime();
+ if (expire != null && new Date().after(expire)) {
+ return false;
+ }
Date notBefore = jwtToken.getJWTClaimsSet().getNotBeforeTime();
- if (expire != null && new Date().before(expire) && new Date().after(notBefore)) {
- valid = true;
+ if (notBefore != null && new Date().before(notBefore)) {
+ return false;
}
} catch (ParseException e) {
throw new IOException("Failed to get JWT claims set", e);
}
- return valid;
+ return true;
}
/**
[35/50] [abbrv] directory-kerby git commit: No need to check the
request type to set the token
Posted by co...@apache.org.
No need to check the request type to set the token
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/a5ddca43
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/a5ddca43
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/a5ddca43
Branch: refs/heads/gssapi
Commit: a5ddca4371348a14962a3d18cbf8e5fec7938731
Parents: cc5c33a
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Jun 17 12:44:05 2016 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 12:25:51 2017 +0100
----------------------------------------------------------------------
.../kerberos/kerb/server/preauth/token/TokenPreauth.java | 10 +---------
1 file changed, 1 insertion(+), 9 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/a5ddca43/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
index 5abca91..81ce5dd 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
@@ -30,9 +30,7 @@ import org.apache.kerby.kerberos.kerb.preauth.PluginRequestContext;
import org.apache.kerby.kerberos.kerb.preauth.token.TokenPreauthMeta;
import org.apache.kerby.kerberos.kerb.provider.TokenDecoder;
import org.apache.kerby.kerberos.kerb.server.preauth.AbstractPreauthPlugin;
-import org.apache.kerby.kerberos.kerb.server.request.AsRequest;
import org.apache.kerby.kerberos.kerb.server.request.KdcRequest;
-import org.apache.kerby.kerberos.kerb.server.request.TgsRequest;
import org.apache.kerby.kerberos.kerb.type.base.AuthToken;
import org.apache.kerby.kerberos.kerb.type.base.EncryptedData;
import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
@@ -108,13 +106,7 @@ public class TokenPreauth extends AbstractPreauthPlugin {
if (!audiences.contains(serverPrincipal.getName())) {
throw new KrbException("The token audience does not match with the target server principal!");
}
- if (kdcRequest instanceof AsRequest) {
- AsRequest asRequest = (AsRequest) kdcRequest;
- asRequest.setToken(authToken);
- } else if (kdcRequest instanceof TgsRequest) {
- TgsRequest tgsRequest = (TgsRequest) kdcRequest;
- tgsRequest.setToken(authToken);
- }
+ kdcRequest.setToken(authToken);
return true;
} else {
return false;
[14/50] [abbrv] directory-kerby git commit: DIRKRB-569 Add unit test
of multiple KDCs for a given realm in client.
Posted by co...@apache.org.
DIRKRB-569 Add unit test of multiple KDCs for a given realm in client.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/3fb403c6
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/3fb403c6
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/3fb403c6
Branch: refs/heads/gssapi
Commit: 3fb403c6ea5e60aacb2187a8573590ce8a74f49b
Parents: c810a30
Author: plusplusjiajia <ji...@intel.com>
Authored: Fri May 13 15:50:13 2016 +0800
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 12:25:02 2017 +0100
----------------------------------------------------------------------
.../kerby/kerberos/kdc/MultiKdcsTest.java | 50 ++++++++++++++++++++
kerby-kdc-test/src/test/resources/kdc.conf | 29 ++++++++++++
.../src/test/resources/krb5-multikdc.conf | 29 ++++++++++++
.../kerby/kerberos/kerb/client/KrbHandler.java | 2 +-
.../client/impl/DefaultInternalKrbClient.java | 4 +-
.../kerberos/kerb/transport/KrbNetwork.java | 18 +++++--
.../kerby/kerberos/kerb/server/KdcTestBase.java | 4 ++
.../kerberos/kerb/server/TestKdcServer.java | 13 ++++-
.../kerberos/kerb/server/SimpleKdcServer.java | 10 ++++
9 files changed, 152 insertions(+), 7 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/3fb403c6/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/MultiKdcsTest.java
----------------------------------------------------------------------
diff --git a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/MultiKdcsTest.java b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/MultiKdcsTest.java
new file mode 100644
index 0000000..6a61e49
--- /dev/null
+++ b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/MultiKdcsTest.java
@@ -0,0 +1,50 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kdc;
+
+import org.apache.kerby.kerberos.kerb.client.KrbConfig;
+import org.apache.kerby.kerberos.kerb.server.SimpleKdcServer;
+import org.apache.kerby.kerberos.kerb.server.TestKdcServer;
+import org.junit.Test;
+
+import java.io.File;
+import java.net.URL;
+
+public class MultiKdcsTest extends KerbyKdcTest {
+
+ @Override
+ protected void setUpKdcServer() throws Exception {
+
+ URL krb5FileUrl = this.getClass().getResource("/krb5-multikdc.conf");
+ File krb5File = new File(krb5FileUrl.toURI());
+ KrbConfig krbConfig = new KrbConfig();
+ krbConfig.addKrb5Config(krb5File);
+ SimpleKdcServer kdcServer = new TestKdcServer(krb5File.getParentFile(), krbConfig);
+ setKdcServer(kdcServer);
+ configKdcSeverAndClient();
+ prepareKdc();
+ kdcServer.start();
+ }
+
+ @Test
+ public void testKdc() throws Exception {
+ performKdcTest();
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/3fb403c6/kerby-kdc-test/src/test/resources/kdc.conf
----------------------------------------------------------------------
diff --git a/kerby-kdc-test/src/test/resources/kdc.conf b/kerby-kdc-test/src/test/resources/kdc.conf
new file mode 100644
index 0000000..cde6b0d
--- /dev/null
+++ b/kerby-kdc-test/src/test/resources/kdc.conf
@@ -0,0 +1,29 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+[logging]
+ default = FILE:/var/log/krb5libs.log
+ kdc = FILE:/var/log/krb5kdc.log
+ admin_server = FILE:/var/log/kadmind.log
+
+[kdcdefaults]
+ kdc_host = localhost
+ kdc_udp_port = 8801
+ kdc_tcp_port = 8801
+ kdc_realm = TEST.COM
+ restrict_anonymous_to_tgt = true
+ kdc_max_dgram_reply_size = 4096
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/3fb403c6/kerby-kdc-test/src/test/resources/krb5-multikdc.conf
----------------------------------------------------------------------
diff --git a/kerby-kdc-test/src/test/resources/krb5-multikdc.conf b/kerby-kdc-test/src/test/resources/krb5-multikdc.conf
new file mode 100644
index 0000000..d5c30c0
--- /dev/null
+++ b/kerby-kdc-test/src/test/resources/krb5-multikdc.conf
@@ -0,0 +1,29 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+[libdefaults]
+ default_realm = TEST.COM
+ kdc_host = localhost
+ kdc_realm = TEST.COM
+ kdc_tcp_port = 88
+ kdc_udp_port = 88
+
+[realms]
+ TEST.COM = {
+ kdc = localhost:8801
+ admin_server = kerberos.gnu.org
+ }
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/3fb403c6/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbHandler.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbHandler.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbHandler.java
index 1ec4e4d..32fad41 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbHandler.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbHandler.java
@@ -67,7 +67,7 @@ public abstract class KrbHandler {
* @throws KrbException e
*/
public void handleRequest(KdcRequest kdcRequest, boolean tryNextKdc) throws KrbException {
- if (!tryNextKdc) {
+ if (!tryNextKdc || kdcRequest.getKdcReq() == null) {
kdcRequest.process();
}
KdcReq kdcReq = kdcRequest.getKdcReq();
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/3fb403c6/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/impl/DefaultInternalKrbClient.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/impl/DefaultInternalKrbClient.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/impl/DefaultInternalKrbClient.java
index 06c6a7f..2c83e2f 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/impl/DefaultInternalKrbClient.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/impl/DefaultInternalKrbClient.java
@@ -90,7 +90,9 @@ public class DefaultInternalKrbClient extends AbstractInternalKrbClient {
throw new KrbException("Failed to create transport", first);
}
} finally {
- transport.release();
+ if (transport != null) {
+ transport.release();
+ }
}
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/3fb403c6/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/transport/KrbNetwork.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/transport/KrbNetwork.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/transport/KrbNetwork.java
index 62e0a43..4ff8e84 100644
--- a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/transport/KrbNetwork.java
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/transport/KrbNetwork.java
@@ -41,13 +41,25 @@ public class KrbNetwork {
if (tpair.tcpAddress != null) {
try {
transport = tcpConnect();
- } catch (IOException e) {
+ } catch (IOException e1) {
if (tpair.udpAddress != null) {
- transport = new KrbUdpTransport(tpair.udpAddress);
+ try {
+ transport = new KrbUdpTransport(tpair.udpAddress);
+ } catch (Exception e2) {
+ transport = null;
+ }
}
+ } catch (Exception e) {
+ e.printStackTrace();
}
} else {
- transport = new KrbUdpTransport(tpair.udpAddress);
+ if (tpair.udpAddress != null) {
+ try {
+ transport = new KrbUdpTransport(tpair.udpAddress);
+ } catch (Exception e3) {
+ transport = null;
+ }
+ }
}
if (transport == null) {
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/3fb403c6/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/KdcTestBase.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/KdcTestBase.java b/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/KdcTestBase.java
index 8bc4205..9e8424f 100644
--- a/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/KdcTestBase.java
+++ b/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/KdcTestBase.java
@@ -69,6 +69,10 @@ public abstract class KdcTestBase {
return kdcServer;
}
+ protected void setKdcServer(SimpleKdcServer kdcServer) {
+ this.kdcServer = kdcServer;
+ }
+
protected KrbClient getKrbClient() {
return kdcServer.getKrbClient();
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/3fb403c6/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/TestKdcServer.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/TestKdcServer.java b/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/TestKdcServer.java
index 76f9bc1..955f966 100644
--- a/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/TestKdcServer.java
+++ b/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/TestKdcServer.java
@@ -25,13 +25,14 @@ import org.apache.kerby.kerberos.kerb.client.KrbConfig;
import org.apache.kerby.kerberos.kerb.client.KrbConfigKey;
import org.apache.kerby.util.NetworkUtil;
+import java.io.File;
+
public class TestKdcServer extends SimpleKdcServer {
public static final String KDC_REALM = "TEST.COM";
public static final String HOSTNAME = "localhost";
public TestKdcServer(boolean allowTcp, boolean allowUdp) throws KrbException {
super();
-
setKdcRealm(KDC_REALM);
setKdcHost(HOSTNAME);
setAllowTcp(allowTcp);
@@ -43,11 +44,19 @@ public class TestKdcServer extends SimpleKdcServer {
if (allowUdp) {
setKdcUdpPort(NetworkUtil.getServerPort());
}
+ setClient();
+ }
+
+ public TestKdcServer(File confDir, KrbConfig krbConfig) throws KrbException {
+ super(confDir, krbConfig);
+ setClient();
+ }
+ private void setClient() {
KrbClient krbClnt = getKrbClient();
KrbConfig krbConfig = krbClnt.getKrbConfig();
krbConfig.setString(KrbConfigKey.PERMITTED_ENCTYPES,
- "aes128-cts-hmac-sha1-96 des-cbc-crc des-cbc-md5 des3-cbc-sha1");
+ "aes128-cts-hmac-sha1-96 des-cbc-crc des-cbc-md5 des3-cbc-sha1");
krbClnt.setTimeout(10 * 1000);
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/3fb403c6/kerby-kerb/kerb-simplekdc/src/main/java/org/apache/kerby/kerberos/kerb/server/SimpleKdcServer.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-simplekdc/src/main/java/org/apache/kerby/kerberos/kerb/server/SimpleKdcServer.java b/kerby-kerb/kerb-simplekdc/src/main/java/org/apache/kerby/kerberos/kerb/server/SimpleKdcServer.java
index 74e4ec9..c342d8b 100644
--- a/kerby-kerb/kerb-simplekdc/src/main/java/org/apache/kerby/kerberos/kerb/server/SimpleKdcServer.java
+++ b/kerby-kerb/kerb-simplekdc/src/main/java/org/apache/kerby/kerberos/kerb/server/SimpleKdcServer.java
@@ -59,6 +59,16 @@ public class SimpleKdcServer extends KdcServer {
setKdcPort(NetworkUtil.getServerPort());
}
+ public SimpleKdcServer(KrbConfig krbConfig) {
+ super();
+ this.krbClnt = new KrbClient(krbConfig);
+ }
+
+ public SimpleKdcServer(File confDir, KrbConfig krbConfig) throws KrbException {
+ super(confDir);
+ this.krbClnt = new KrbClient(krbConfig);
+ }
+
public void setWorkDir(File workDir) {
this.workDir = workDir;
}