You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by ak...@apache.org on 2005/02/02 17:49:12 UTC
svn commit: r149531 - in
incubator/directory/kerberos/trunk/core/src/java/org/apache/kerberos/sam:
KeyIntegrityChecker.java SamSubsystem.java SamVerifier.java
Author: akarasulu
Date: Wed Feb 2 08:49:08 2005
New Revision: 149531
URL: http://svn.apache.org/viewcvs?view=rev&rev=149531
Log:
changes ...
o to make sam work we have to generate and test sad data to decrypt timestamps
o we changed verifier which now has new veryify signature and is initialized
with a KeyIntegrityChecker
o we require the SamSubsystem to be setup with KeyIntegrityChecker to
function
o added new KeyIntegrityChecker interface to be used by SamVerifiers to
generate the KerberosKey to use for payload encryption.
Added:
incubator/directory/kerberos/trunk/core/src/java/org/apache/kerberos/sam/KeyIntegrityChecker.java
Modified:
incubator/directory/kerberos/trunk/core/src/java/org/apache/kerberos/sam/SamSubsystem.java
incubator/directory/kerberos/trunk/core/src/java/org/apache/kerberos/sam/SamVerifier.java
Added: incubator/directory/kerberos/trunk/core/src/java/org/apache/kerberos/sam/KeyIntegrityChecker.java
URL: http://svn.apache.org/viewcvs/incubator/directory/kerberos/trunk/core/src/java/org/apache/kerberos/sam/KeyIntegrityChecker.java?view=auto&rev=149531
==============================================================================
--- incubator/directory/kerberos/trunk/core/src/java/org/apache/kerberos/sam/KeyIntegrityChecker.java (added)
+++ incubator/directory/kerberos/trunk/core/src/java/org/apache/kerberos/sam/KeyIntegrityChecker.java Wed Feb 2 08:49:08 2005
@@ -0,0 +1,43 @@
+/*
+ * Copyright 2004 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package org.apache.kerberos.sam;
+
+
+import javax.security.auth.kerberos.KerberosKey;
+
+
+/**
+ * Checks the integrity of a kerberos key to decode-decrypt an encrypted
+ * generalized timestamp representing the pre-auth data.
+ *
+ * @author <a href="mailto:directory-dev@incubator.apache.org">Apache Directory Project</a>
+ * @version $Rev$
+ */
+public interface KeyIntegrityChecker
+{
+ /**
+ * Checks the integrity of a KerberosKey to decrypt-decode and compare an
+ * encrypted encoded generalized timestamp representing the preauth data.
+ *
+ * @param preauthData the generalized timestamp encrypted with client hotp
+ * generated KerberosKey
+ * @param key the KerberosKey generated from server side hotp value
+ * @return true if the key can decrypt-decode and make sense out of the
+ * timestamp verifying that it is in skew, false otherwise
+ */
+ boolean checkKeyIntegrity( byte[] preauthData, KerberosKey key );
+}
Modified: incubator/directory/kerberos/trunk/core/src/java/org/apache/kerberos/sam/SamSubsystem.java
URL: http://svn.apache.org/viewcvs/incubator/directory/kerberos/trunk/core/src/java/org/apache/kerberos/sam/SamSubsystem.java?view=diff&r1=149530&r2=149531
==============================================================================
--- incubator/directory/kerberos/trunk/core/src/java/org/apache/kerberos/sam/SamSubsystem.java (original)
+++ incubator/directory/kerberos/trunk/core/src/java/org/apache/kerberos/sam/SamSubsystem.java Wed Feb 2 08:49:08 2005
@@ -19,6 +19,8 @@
import java.util.HashMap;
+import javax.security.auth.kerberos.KerberosKey;
+
import org.apache.kerberos.kdc.store.PrincipalStoreEntry;
@@ -37,21 +39,40 @@
/** a map of verifiers so we do not need to create a new one every time */
private static final HashMap verifiers = new HashMap();
+ /** the key integrity checker used by the subsystem for all sam types */
+ private static KeyIntegrityChecker keyChecker;
+
+
+ /**
+ * Sets the KeyIntegrityChecker used by the entire SamSubsystem.
+ *
+ * @param keyChecker the KeyIntegrityChecker used by the entire SamSubsystem
+ */
+ public static void setIntegrityChecker( KeyIntegrityChecker keyChecker )
+ {
+ SamSubsystem.keyChecker = keyChecker;
+ }
+
/**
* Uses the principal entry information to load the approapriate SamVerifier
* and verify the Single-use password.
*
* @param entry the store entry for the Kerberos principal
- * @param sup the single use password value
+ * @param sad the single-use authentication data encrypted timestamp payload
* @return true if verification passed, false otherwise
* @throws SamException thrown when there is a failure within the verifier
* or a verifier cannot be found.
*/
- public static boolean verify( PrincipalStoreEntry entry, String sup ) throws SamException
+ public static KerberosKey verify( PrincipalStoreEntry entry, byte[] sad ) throws SamException
{
SamVerifier verifier = null;
+ if ( keyChecker == null )
+ {
+ throw new IllegalStateException( "SamSubsystem not enabled with key integrity checker" );
+ }
+
if ( entry.getSamType() == null )
{
throw new SamException( entry.getSamType(), "Entry has null SAM type" );
@@ -63,7 +84,7 @@
String user = entry.getPrincipal().getName();
- return verifier.verify( user, entry.getRealmName(), sup );
+ return verifier.verify( user, entry.getRealmName(), sad );
}
String key = PROPKEY_BASE + entry.getSamType().getOrdinal();
@@ -83,6 +104,8 @@
verifier = ( SamVerifier ) c.newInstance();
+ verifier.setIntegrityChecker( keyChecker );
+
if ( ! verifier.getSamType().equals( entry.getSamType() ) )
{
String msg = "Expecting entries with SAM type of " + verifier.getSamType();
@@ -96,7 +119,7 @@
verifiers.put( verifier.getSamType(), verifier );
- return verifier.verify( user, entry.getRealmName(), sup );
+ return verifier.verify( user, entry.getRealmName(), sad );
}
catch ( ClassNotFoundException e )
{
Modified: incubator/directory/kerberos/trunk/core/src/java/org/apache/kerberos/sam/SamVerifier.java
URL: http://svn.apache.org/viewcvs/incubator/directory/kerberos/trunk/core/src/java/org/apache/kerberos/sam/SamVerifier.java?view=diff&r1=149530&r2=149531
==============================================================================
--- incubator/directory/kerberos/trunk/core/src/java/org/apache/kerberos/sam/SamVerifier.java (original)
+++ incubator/directory/kerberos/trunk/core/src/java/org/apache/kerberos/sam/SamVerifier.java Wed Feb 2 08:49:08 2005
@@ -17,6 +17,9 @@
package org.apache.kerberos.sam;
+import javax.security.auth.kerberos.KerberosKey;
+
+
/**
* Single-use Authentication Mechanism verifier (subsystem) interface.
*
@@ -26,14 +29,25 @@
public interface SamVerifier
{
/**
+ * SamVerifiers require a KeyIntegrityChecker to calculate the integrity of
+ * a HOTP generated KerberosKey. The Kerberos service exposes this interface
+ * and supplies it to the verifier to check generated keys to conduct the
+ * verification workflow.
+ *
+ * @param keyChecker the integrity checker that validates whether or not a
+ * key can decrypt-decode preauth data (an encryped-encoded generalized
+ * timestamp)
+ */
+ void setIntegrityChecker( KeyIntegrityChecker keyChecker );
+
+ /**
* Verifies the single use password supplied.
*
* @param uid the unique id of the user within an authentication domain
* @param domain the authentication domain of the user
- * @param sup the value of the single use password
- * @return true if the single-use password is verified a correct, false otherwise
+ * @param sad single-use authentication data (encrypted generalized timestamp)
*/
- boolean verify( String uid, String domain, String sup ) throws SamException;
+ KerberosKey verify( String uid, String domain, byte[] sad ) throws SamException;
/**
* Gets the registered SAM algorithm type implemented by this SamVerifier.