You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by er...@apache.org on 2005/09/15 07:46:53 UTC
svn commit: r289158 - in
/directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service:
BuildReply.java ChangePasswordContext.java
ConfigureChangePasswordChain.java ProcessPasswordChange.java
VerifyServiceTicketAuthHeader.java
Author: erodriguez
Date: Wed Sep 14 22:46:50 2005
New Revision: 289158
URL: http://svn.apache.org/viewcvs?rev=289158&view=rev
Log:
Updated changepw-protocol to use kerberos-common cipher hashed adapter, DIRCHANGEPW-1:
o Added hashed adapter to chain context and chain configuration.
o Deployed seal() and unseal() methods to password change processing, auth header verification, and reply sealing.
http://issues.apache.org/jira/browse/DIRCHANGEPW-1
Modified:
directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/BuildReply.java
directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/ChangePasswordContext.java
directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/ConfigureChangePasswordChain.java
directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/ProcessPasswordChange.java
directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/VerifyServiceTicketAuthHeader.java
Modified: directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/BuildReply.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/BuildReply.java?rev=289158&r1=289157&r2=289158&view=diff
==============================================================================
--- directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/BuildReply.java (original)
+++ directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/BuildReply.java Wed Sep 14 22:46:50 2005
@@ -23,11 +23,7 @@
import org.apache.changepw.messages.ChangePasswordReplyModifier;
import org.apache.kerberos.chain.Context;
import org.apache.kerberos.chain.impl.CommandBase;
-import org.apache.kerberos.crypto.encryption.EncryptionEngine;
-import org.apache.kerberos.crypto.encryption.EncryptionEngineFactory;
import org.apache.kerberos.exceptions.KerberosException;
-import org.apache.kerberos.io.encoder.EncApRepPartEncoder;
-import org.apache.kerberos.io.encoder.EncKrbPrivPartEncoder;
import org.apache.kerberos.messages.application.ApplicationReply;
import org.apache.kerberos.messages.application.PrivateMessage;
import org.apache.kerberos.messages.components.Authenticator;
@@ -39,6 +35,7 @@
import org.apache.kerberos.messages.value.EncryptedData;
import org.apache.kerberos.messages.value.EncryptionKey;
import org.apache.kerberos.messages.value.HostAddress;
+import org.apache.kerberos.service.LockBox;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -50,8 +47,10 @@
public boolean execute( Context context ) throws Exception
{
ChangePasswordContext changepwContext = (ChangePasswordContext) context;
+
Authenticator authenticator = changepwContext.getAuthenticator();
Ticket ticket = changepwContext.getTicket();
+ LockBox lockBox = changepwContext.getLockBox();
// begin building reply
@@ -64,18 +63,14 @@
modifier.setSenderAddress( new HostAddress( InetAddress.getLocalHost() ) );
EncKrbPrivPart privPart = modifier.getEncKrbPrivPart();
- EncKrbPrivPartEncoder encoder = new EncKrbPrivPartEncoder();
- byte[] encodedPrivPart = encoder.encode( privPart );
-
// get the subsession key from the Authenticator
EncryptionKey subSessionKey = authenticator.getSubSessionKey();
- EncryptedData encPrivPart = null;
+ EncryptedData encPrivPart;
try
{
- EncryptionEngine engine = EncryptionEngineFactory.getEncryptionEngineFor( subSessionKey );
- encPrivPart = engine.getEncryptedData( subSessionKey, encodedPrivPart );
+ encPrivPart = lockBox.seal( subSessionKey, privPart );
}
catch ( KerberosException ke )
{
@@ -93,15 +88,12 @@
encApModifier.setSubSessionKey( authenticator.getSubSessionKey() );
EncApRepPart repPart = encApModifier.getEncApRepPart();
- EncApRepPartEncoder repEncoder = new EncApRepPartEncoder();
- byte[] encodedRepPart = repEncoder.encode( repPart );
- EncryptedData encRepPart = null;
+ EncryptedData encRepPart;
try
{
- EncryptionEngine engine = EncryptionEngineFactory.getEncryptionEngineFor( ticket.getSessionKey() );
- encRepPart = engine.getEncryptedData( ticket.getSessionKey(), encodedRepPart );
+ encRepPart = lockBox.seal( ticket.getSessionKey(), repPart );
}
catch ( KerberosException ke )
{
Modified: directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/ChangePasswordContext.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/ChangePasswordContext.java?rev=289158&r1=289157&r2=289158&view=diff
==============================================================================
--- directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/ChangePasswordContext.java (original)
+++ directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/ChangePasswordContext.java Wed Sep 14 22:46:50 2005
@@ -24,6 +24,7 @@
import org.apache.kerberos.messages.components.Authenticator;
import org.apache.kerberos.messages.components.Ticket;
import org.apache.kerberos.replay.ReplayCache;
+import org.apache.kerberos.service.LockBox;
import org.apache.kerberos.store.PrincipalStore;
import org.apache.kerberos.store.PrincipalStoreEntry;
@@ -40,6 +41,7 @@
private Authenticator authenticator;
private PrincipalStoreEntry serverEntry;
private ReplayCache replayCache;
+ private LockBox lockBox;
/**
* @return Returns the replayCache.
@@ -135,6 +137,22 @@
public void setStore( PrincipalStore store )
{
this.store = store;
+ }
+
+ /**
+ * @return Returns the lockBox.
+ */
+ public LockBox getLockBox()
+ {
+ return lockBox;
+ }
+
+ /**
+ * @param lockBox The lockBox to set.
+ */
+ public void setLockBox( LockBox lockBox )
+ {
+ this.lockBox = lockBox;
}
/**
Modified: directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/ConfigureChangePasswordChain.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/ConfigureChangePasswordChain.java?rev=289158&r1=289157&r2=289158&view=diff
==============================================================================
--- directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/ConfigureChangePasswordChain.java (original)
+++ directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/ConfigureChangePasswordChain.java Wed Sep 14 22:46:50 2005
@@ -20,16 +20,19 @@
import org.apache.kerberos.chain.impl.CommandBase;
import org.apache.kerberos.replay.InMemoryReplayCache;
import org.apache.kerberos.replay.ReplayCache;
+import org.apache.kerberos.service.LockBox;
public class ConfigureChangePasswordChain extends CommandBase
{
private static final ReplayCache replayCache = new InMemoryReplayCache();
+ private static final LockBox lockBox = new LockBox();
public boolean execute( Context context ) throws Exception
{
ChangePasswordContext changepwContext = (ChangePasswordContext) context;
changepwContext.setReplayCache( replayCache );
+ changepwContext.setLockBox( lockBox );
return CONTINUE_CHAIN;
}
Modified: directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/ProcessPasswordChange.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/ProcessPasswordChange.java?rev=289158&r1=289157&r2=289158&view=diff
==============================================================================
--- directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/ProcessPasswordChange.java (original)
+++ directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/ProcessPasswordChange.java Wed Sep 14 22:46:50 2005
@@ -16,8 +16,6 @@
*/
package org.apache.changepw.service;
-import java.io.IOException;
-
import javax.security.auth.kerberos.KerberosKey;
import javax.security.auth.kerberos.KerberosPrincipal;
@@ -29,14 +27,12 @@
import org.apache.changepw.value.ChangePasswordDataModifier;
import org.apache.kerberos.chain.Context;
import org.apache.kerberos.chain.impl.CommandBase;
-import org.apache.kerberos.crypto.encryption.EncryptionEngine;
-import org.apache.kerberos.crypto.encryption.EncryptionEngineFactory;
import org.apache.kerberos.exceptions.KerberosException;
-import org.apache.kerberos.io.decoder.EncKrbPrivPartDecoder;
import org.apache.kerberos.messages.components.Authenticator;
import org.apache.kerberos.messages.components.EncKrbPrivPart;
import org.apache.kerberos.messages.value.EncryptedData;
import org.apache.kerberos.messages.value.EncryptionKey;
+import org.apache.kerberos.service.LockBox;
import org.apache.kerberos.store.PrincipalStore;
import org.apache.kerberos.store.operations.ChangePassword;
import org.slf4j.Logger;
@@ -50,9 +46,11 @@
public boolean execute( Context context ) throws Exception
{
ChangePasswordContext changepwContext = (ChangePasswordContext) context;
+
ChangePasswordRequest request = (ChangePasswordRequest) changepwContext.getRequest();
PrincipalStore store = changepwContext.getStore();
Authenticator authenticator = changepwContext.getAuthenticator();
+ LockBox lockBox = changepwContext.getLockBox();
// TODO - check ticket is for service authorized to change passwords
// ticket.getServerPrincipal().getName().equals(config.getChangepwPrincipal().getName()));
@@ -62,28 +60,18 @@
// get the subsession key from the Authenticator
EncryptionKey subSessionKey = authenticator.getSubSessionKey();
- // getDecryptedData the request's private message with the subsession key
+ // decrypt the request's private message with the subsession key
EncryptedData encReqPrivPart = request.getPrivateMessage().getEncryptedPart();
EncKrbPrivPart privatePart;
try
{
- EncryptionEngine engine = EncryptionEngineFactory.getEncryptionEngineFor( subSessionKey );
-
- byte[] decPrivPart = engine.getDecryptedData( subSessionKey, encReqPrivPart );
-
- EncKrbPrivPartDecoder privDecoder = new EncKrbPrivPartDecoder();
- privatePart = privDecoder.decode( decPrivPart );
+ privatePart = (EncKrbPrivPart) lockBox.unseal( EncKrbPrivPart.class, subSessionKey, encReqPrivPart );
}
catch ( KerberosException ke )
{
log.error( ke.getMessage(), ke );
- throw new ChangePasswordException( ErrorType.KRB5_KPASSWD_SOFTERROR );
- }
- catch ( IOException ioe )
- {
- log.error( ioe.getMessage(), ioe );
throw new ChangePasswordException( ErrorType.KRB5_KPASSWD_SOFTERROR );
}
Modified: directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/VerifyServiceTicketAuthHeader.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/VerifyServiceTicketAuthHeader.java?rev=289158&r1=289157&r2=289158&view=diff
==============================================================================
--- directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/VerifyServiceTicketAuthHeader.java (original)
+++ directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/VerifyServiceTicketAuthHeader.java Wed Sep 14 22:46:50 2005
@@ -24,6 +24,7 @@
import org.apache.kerberos.messages.components.Ticket;
import org.apache.kerberos.messages.value.EncryptionKey;
import org.apache.kerberos.replay.ReplayCache;
+import org.apache.kerberos.service.LockBox;
import org.apache.kerberos.service.VerifyAuthHeader;
public class VerifyServiceTicketAuthHeader extends VerifyAuthHeader
@@ -39,9 +40,10 @@
ReplayCache replayCache = changepwContext.getReplayCache();
boolean emptyAddressesAllowed = changepwContext.getConfig().isEmptyAddressesAllowed();
InetAddress clientAddress = changepwContext.getClientAddress();
+ LockBox lockBox = changepwContext.getLockBox();
Authenticator authenticator = verifyAuthHeader( authHeader, ticket, serverKey, clockSkew, replayCache,
- emptyAddressesAllowed, clientAddress );
+ emptyAddressesAllowed, clientAddress, lockBox );
changepwContext.setAuthenticator( authenticator );