You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by pl...@apache.org on 2015/11/04 09:25:55 UTC
[29/48] directory-kerby git commit: DIRKRB-434 Get the verify key for
signed JWT token from kdc config.
DIRKRB-434 Get the verify key for signed JWT token from kdc config.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/0df9588b
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/0df9588b
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/0df9588b
Branch: refs/heads/pkinit-support
Commit: 0df9588b49d354453683bfa0aa6c78535277ddb2
Parents: 91f6e71
Author: plusplusjiajia <ji...@intel.com>
Authored: Wed Oct 14 13:40:38 2015 +0800
Committer: plusplusjiajia <ji...@intel.com>
Committed: Wed Oct 14 13:40:38 2015 +0800
----------------------------------------------------------------------
.../kerb/client/preauth/token/TokenPreauth.java | 2 +-
.../kerb/spec/pa/token/PaTokenRequest.java | 4 +-
kerby-kerb/kerb-server/pom.xml | 5 +++
.../kerby/kerberos/kerb/server/KdcConfig.java | 4 ++
.../kerberos/kerb/server/KdcConfigKey.java | 3 +-
.../kerb/server/preauth/token/TokenPreauth.java | 43 +++++++++++++++++++-
6 files changed, 56 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/0df9588b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenPreauth.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenPreauth.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenPreauth.java
index 4ed5ec6..11aa0a2 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenPreauth.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenPreauth.java
@@ -188,7 +188,7 @@ public class TokenPreauth extends AbstractPreauthPlugin {
PaTokenRequest tokenPa = new PaTokenRequest();
tokenPa.setToken((KrbToken) authToken);
TokenInfo info = new TokenInfo();
- info.setTokenVendor("vendor");
+ info.setTokenVendor(authToken.getIssuer());
tokenPa.setTokenInfo(info);
EncryptedData paDataValue = EncryptionUtil.seal(tokenPa,
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/0df9588b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/spec/pa/token/PaTokenRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/spec/pa/token/PaTokenRequest.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/spec/pa/token/PaTokenRequest.java
index d90aa89..969f4db 100644
--- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/spec/pa/token/PaTokenRequest.java
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/spec/pa/token/PaTokenRequest.java
@@ -50,8 +50,8 @@ public class PaTokenRequest extends KrbSequenceType {
setFieldAs(TOKEN, token);
}
- public String getTokenInfo() {
- return getFieldAsString(TOKEN_INFO);
+ public TokenInfo getTokenInfo() {
+ return getFieldAs(TOKEN_INFO, TokenInfo.class);
}
public void setTokenInfo(TokenInfo tokenInfo) {
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/0df9588b/kerby-kerb/kerb-server/pom.xml
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/pom.xml b/kerby-kerb/kerb-server/pom.xml
index edb355c..117cfb6 100644
--- a/kerby-kerb/kerb-server/pom.xml
+++ b/kerby-kerb/kerb-server/pom.xml
@@ -47,5 +47,10 @@
<artifactId>kerb-identity</artifactId>
<version>${project.version}</version>
</dependency>
+ <dependency>
+ <groupId>org.apache.kerby</groupId>
+ <artifactId>token-provider</artifactId>
+ <version>${project.version}</version>
+ </dependency>
</dependencies>
</project>
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/0df9588b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcConfig.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcConfig.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcConfig.java
index 7b041f1..e51b28d 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcConfig.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcConfig.java
@@ -161,4 +161,8 @@ public class KdcConfig extends Conf {
return KrbConfHelper.getIntUnderSection(this,
KdcConfigKey.KDC_MAX_DGRAM_REPLY_SIZE);
}
+
+ public String getVerifyKeyConfig() {
+ return KrbConfHelper.getStringUnderSection(this, KdcConfigKey.VERIFY_KEY);
+ }
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/0df9588b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcConfigKey.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcConfigKey.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcConfigKey.java
index a03dcbb..1311b02 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcConfigKey.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcConfigKey.java
@@ -48,7 +48,8 @@ public enum KdcConfigKey implements SectionConfigKey {
VERIFY_BODY_CHECKSUM(true),
ENCRYPTION_TYPES("aes128-cts-hmac-sha1-96 des3-cbc-sha1-kd"),
RESTRICT_ANONYMOUS_TO_TGT(false, "kdcdefaults"),
- KDC_MAX_DGRAM_REPLY_SIZE(4096, "kdcdefaults");
+ KDC_MAX_DGRAM_REPLY_SIZE(4096, "kdcdefaults"),
+ VERIFY_KEY(null, "kdcdefaults");
private Object defaultValue;
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/0df9588b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
index ba7cbec..ef06006 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
@@ -23,6 +23,7 @@ import org.apache.kerby.kerberos.kerb.KrbCodec;
import org.apache.kerby.kerberos.kerb.KrbException;
import org.apache.kerby.kerberos.kerb.KrbRuntime;
import org.apache.kerby.kerberos.kerb.common.EncryptionUtil;
+import org.apache.kerby.kerberos.kerb.common.PublicKeyReader;
import org.apache.kerby.kerberos.kerb.preauth.PluginRequestContext;
import org.apache.kerby.kerberos.kerb.preauth.token.TokenPreauthMeta;
import org.apache.kerby.kerberos.kerb.provider.TokenDecoder;
@@ -39,8 +40,14 @@ import org.apache.kerby.kerberos.kerb.spec.base.PrincipalName;
import org.apache.kerby.kerberos.kerb.spec.pa.PaDataEntry;
import org.apache.kerby.kerberos.kerb.spec.pa.PaDataType;
import org.apache.kerby.kerberos.kerb.spec.pa.token.PaTokenRequest;
+import org.apache.kerby.kerberos.kerb.spec.pa.token.TokenInfo;
+import org.apache.kerby.kerberos.provider.token.JwtTokenDecoder;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileNotFoundException;
import java.io.IOException;
+import java.security.PublicKey;
import java.util.List;
public class TokenPreauth extends AbstractPreauthPlugin {
@@ -67,6 +74,27 @@ public class TokenPreauth extends AbstractPreauthPlugin {
KrbToken token = paTokenRequest.getToken();
TokenDecoder tokenDecoder = KrbRuntime.getTokenProvider().createTokenDecoder();
+ if (tokenDecoder instanceof JwtTokenDecoder) {
+ TokenInfo tokenInfo = paTokenRequest.getTokenInfo();
+ String issuer = tokenInfo.getTokenVendor();
+ String verifyKeyPath = kdcRequest.getKdcContext().getConfig().getVerifyKeyConfig();
+ if (verifyKeyPath != null) {
+ File verifyKeyFile = getVerifyKeyFile(verifyKeyPath, issuer);
+ if (verifyKeyFile != null) {
+ PublicKey verifyKey = null;
+ try {
+ FileInputStream fis = new FileInputStream(verifyKeyFile);
+ verifyKey = PublicKeyReader.loadPublicKey(fis);
+ } catch (FileNotFoundException e) {
+ e.printStackTrace();
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+ ((JwtTokenDecoder) tokenDecoder).setVerifyKey(verifyKey);
+ }
+ }
+ }
+
AuthToken authToken = null;
try {
authToken = tokenDecoder.decodeFromBytes(token.getTokenValue());
@@ -88,10 +116,23 @@ public class TokenPreauth extends AbstractPreauthPlugin {
throw new KrbException("Token audience not match with the target server principal!");
}
}
-
return true;
} else {
return false;
}
}
+
+ private File getVerifyKeyFile(String path, String issuer) {
+ File folder = new File(path);
+ File[] listOfFiles = folder.listFiles();
+ File verifyKeyFile = null;
+
+ for (int i = 0; i < listOfFiles.length; i++) {
+ if (listOfFiles[i].isFile() && listOfFiles[i].getName().contains(issuer)) {
+ verifyKeyFile = listOfFiles[i];
+ break;
+ }
+ }
+ return verifyKeyFile;
+ }
}