You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by er...@apache.org on 2005/09/04 03:48:10 UTC
svn commit: r267544 - in /directory/protocol-providers/kerberos/trunk: ./
src/java/org/apache/kerberos/kdc/ticketgrant/
Author: erodriguez
Date: Sat Sep 3 18:48:02 2005
New Revision: 267544
URL: http://svn.apache.org/viewcvs?rev=267544&view=rev
Log:
Addition of body checksum verification to TGS
o bump up asn1-der dep, for access to the undecoded DER sequence of the body
o addition of checksumType to context monitor logging
o insertion of body checksum verification to TGS chain
Modified:
directory/protocol-providers/kerberos/trunk/project.xml
directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/ticketgrant/MonitorContext.java
directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/ticketgrant/TicketGrantingServiceChain.java
directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/ticketgrant/VerifyBodyChecksum.java
Modified: directory/protocol-providers/kerberos/trunk/project.xml
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/trunk/project.xml?rev=267544&r1=267543&r2=267544&view=diff
==============================================================================
--- directory/protocol-providers/kerberos/trunk/project.xml (original)
+++ directory/protocol-providers/kerberos/trunk/project.xml Sat Sep 3 18:48:02 2005
@@ -96,7 +96,7 @@
<dependency>
<groupId>directory-asn1</groupId>
<artifactId>asn1-der</artifactId>
- <version>0.3.1</version>
+ <version>0.3.3-SNAPSHOT</version>
</dependency>
<dependency>
<groupId>junit</groupId>
Modified: directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/ticketgrant/MonitorContext.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/ticketgrant/MonitorContext.java?rev=267544&r1=267543&r2=267544&view=diff
==============================================================================
--- directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/ticketgrant/MonitorContext.java (original)
+++ directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/ticketgrant/MonitorContext.java Sat Sep 3 18:48:02 2005
@@ -20,6 +20,7 @@
import org.apache.kerberos.chain.Context;
import org.apache.kerberos.chain.impl.CommandBase;
+import org.apache.kerberos.crypto.checksum.ChecksumType;
import org.apache.kerberos.messages.ApplicationRequest;
import org.apache.kerberos.messages.components.Ticket;
import org.apache.kerberos.replay.ReplayCache;
@@ -46,6 +47,7 @@
Ticket tgt = tgsContext.getTgt();
long clockSkew = tgsContext.getConfig().getClockSkew();
ReplayCache replayCache = tgsContext.getReplayCache();
+ ChecksumType checksumType = tgsContext.getAuthenticator().getChecksum().getChecksumType();
StringBuffer sb = new StringBuffer();
@@ -53,7 +55,8 @@
sb.append( "\n\t" + "authHeader " + authHeader );
sb.append( "\n\t" + "tgt " + tgt );
sb.append( "\n\t" + "replayCache " + replayCache );
- sb.append( "\n\t" + "clock skew " + clockSkew );
+ sb.append( "\n\t" + "clockSkew " + clockSkew );
+ sb.append( "\n\t" + "checksumType " + checksumType );
KerberosPrincipal requestServerPrincipal = tgsContext.getRequest().getServerPrincipal();
PrincipalStoreEntry requestPrincipal = tgsContext.getRequestPrincipalEntry();
Modified: directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/ticketgrant/TicketGrantingServiceChain.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/ticketgrant/TicketGrantingServiceChain.java?rev=267544&r1=267543&r2=267544&view=diff
==============================================================================
--- directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/ticketgrant/TicketGrantingServiceChain.java (original)
+++ directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/ticketgrant/TicketGrantingServiceChain.java Sat Sep 3 18:48:02 2005
@@ -45,6 +45,7 @@
addCommand( new VerifyTgt() );
addCommand( new GetTicketPrincipalEntry() );
addCommand( new VerifyTgtAuthHeader() );
+ addCommand( new VerifyBodyChecksum() );
addCommand( new GetRequestPrincipalEntry() );
addCommand( new GenerateTicket() );
addCommand( new BuildReply() );
Modified: directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/ticketgrant/VerifyBodyChecksum.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/ticketgrant/VerifyBodyChecksum.java?rev=267544&r1=267543&r2=267544&view=diff
==============================================================================
--- directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/ticketgrant/VerifyBodyChecksum.java (original)
+++ directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/ticketgrant/VerifyBodyChecksum.java Sat Sep 3 18:48:02 2005
@@ -16,16 +16,13 @@
*/
package org.apache.kerberos.kdc.ticketgrant;
-import java.io.IOException;
-
import org.apache.kerberos.chain.Context;
import org.apache.kerberos.chain.impl.CommandBase;
import org.apache.kerberos.crypto.checksum.ChecksumEngine;
+import org.apache.kerberos.crypto.checksum.ChecksumType;
import org.apache.kerberos.crypto.checksum.RsaMd5Checksum;
import org.apache.kerberos.exceptions.ErrorType;
import org.apache.kerberos.exceptions.KerberosException;
-import org.apache.kerberos.io.encoder.KdcReqBodyEncoder;
-import org.apache.kerberos.messages.KdcRequest;
import org.apache.kerberos.messages.value.Checksum;
public class VerifyBodyChecksum extends CommandBase
@@ -33,51 +30,30 @@
public boolean execute( Context context ) throws Exception
{
TicketGrantingContext tgsContext = (TicketGrantingContext) context;
- KdcRequest request = tgsContext.getRequest();
+ byte[] bodyBytes = tgsContext.getRequest().getBodyBytes();
Checksum checksum = tgsContext.getAuthenticator().getChecksum();
- verifyBodyChecksum( checksum, request );
+ verifyChecksum( checksum, bodyBytes );
return CONTINUE_CHAIN;
}
- private void verifyBodyChecksum( Checksum authChecksum, KdcRequest request ) throws KerberosException
+ private void verifyChecksum( Checksum checksum, byte[] bytes ) throws KerberosException
{
- if ( authChecksum == null )
+ if ( checksum == null )
{
throw new KerberosException( ErrorType.KRB_AP_ERR_INAPP_CKSUM );
}
- /*
- if (auth_hdr.authenticator.cksum type is not supported) then
- error_out(KDC_ERR_SUMTYPE_NOSUPP);
- endif
- */
-
- /*
- if (auth_hdr.authenticator.cksum is not both collision-proof and keyed) then
- error_out(KRB_AP_ERR_INAPP_CKSUM);
- endif
- */
-
- KdcReqBodyEncoder encoder = new KdcReqBodyEncoder();
- byte[] bytes = null;
-
- try
+ if ( !checksum.getChecksumType().equals( ChecksumType.RSA_MD5 ) )
{
- bytes = encoder.encode( request );
- }
- catch ( IOException ioe )
- {
- ioe.printStackTrace();
+ throw new KerberosException( ErrorType.KDC_ERR_SUMTYPE_NOSUPP );
}
ChecksumEngine digester = new RsaMd5Checksum();
Checksum newChecksum = new Checksum( digester.checksumType(), digester.calculateChecksum( bytes ) );
- boolean equal = newChecksum.equals( authChecksum );
-
- if ( !equal )
+ if ( !newChecksum.equals( checksum ) )
{
throw new KerberosException( ErrorType.KRB_AP_ERR_MODIFIED );
}