You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by pl...@apache.org on 2017/08/03 13:06:18 UTC
directory-kerby git commit: Get the KerberosKey from Subject as the
server key.
Repository: directory-kerby
Updated Branches:
refs/heads/trunk 75dc602f7 -> ea45cc80f
Get the KerberosKey from Subject as the server key.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/ea45cc80
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/ea45cc80
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/ea45cc80
Branch: refs/heads/trunk
Commit: ea45cc80f175a0d1292dbb4bfa69f75bba78b35b
Parents: 75dc602
Author: plusplusjiajia <ji...@intel.com>
Authored: Thu Aug 3 21:06:11 2017 +0800
Committer: plusplusjiajia <ji...@intel.com>
Committed: Thu Aug 3 21:06:11 2017 +0800
----------------------------------------------------------------------
.../kerby/kerberos/kerb/gss/impl/CredUtils.java | 7 ++++
.../kerberos/kerb/gss/impl/GssAcceptCred.java | 35 ++++++++++++++++----
.../kerberos/kerb/gss/impl/GssContext.java | 8 +++--
.../kerby/kerberos/kerb/gss/impl/GssUtil.java | 2 +-
4 files changed, 42 insertions(+), 10 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/ea45cc80/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/CredUtils.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/CredUtils.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/CredUtils.java
index 4088b5c..944a5a6 100644
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/CredUtils.java
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/CredUtils.java
@@ -36,6 +36,13 @@ public class CredUtils {
}
}
+ public static Set<KerberosKey> getKerberosKeysFromContext(GSSCaller caller,
+ final String clientName,
+ final String serverName) throws GSSException {
+ Set<KerberosKey> kerberosKeys = getContextCredentials(KerberosKey.class);
+ return kerberosKeys;
+ }
+
public static KerberosTicket getKerberosTicketFromContext(GSSCaller caller,
final String clientName,
final String serverName) throws GSSException {
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/ea45cc80/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssAcceptCred.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssAcceptCred.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssAcceptCred.java
index bb5bfd0..7a361fc 100644
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssAcceptCred.java
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssAcceptCred.java
@@ -30,11 +30,13 @@ import javax.security.auth.kerberos.KerberosKey;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.kerberos.KeyTab;
+import java.util.Set;
public final class GssAcceptCred extends GssCredElement {
private final KeyTab keyTab;
private final KerberosTicket ticket;
+ private final Set<KerberosKey> kerberosKeySet;
public static GssAcceptCred getInstance(final GSSCaller caller,
GssNameElement name, int lifeTime) throws GSSException {
@@ -42,16 +44,19 @@ public final class GssAcceptCred extends GssCredElement {
// Try to get a keytab first
KeyTab keyTab = getKeyTab(name);
KerberosTicket ticket = null;
+ Set<KerberosKey> kerberosKeySet = null;
if (keyTab == null) {
// Otherwise try to get a kerberos ticket
if (name == null) {
ticket = CredUtils.getKerberosTicketFromContext(caller, null, null);
+ kerberosKeySet = CredUtils.getKerberosKeysFromContext(caller, null, null);
} else {
ticket = CredUtils.getKerberosTicketFromContext(caller, name.getPrincipalName().getName(), null);
+ kerberosKeySet = CredUtils.getKerberosKeysFromContext(caller, name.getPrincipalName().getName(), null);
}
}
- if (keyTab == null && ticket == null) {
+ if (keyTab == null && ticket == null && kerberosKeySet == null) {
String error = "Failed to find any Kerberos credential";
if (name != null) {
error += " for " + name.getPrincipalName().getName();
@@ -61,13 +66,19 @@ public final class GssAcceptCred extends GssCredElement {
if (name == null) {
if (keyTab != null) {
- name = GssNameElement.getInstance(keyTab.getPrincipal().getName(), GSSName.NT_HOSTBASED_SERVICE);
- } else {
- name = GssNameElement.getInstance(ticket.getClient().getName(), GSSName.NT_HOSTBASED_SERVICE);
+ name = GssNameElement.getInstance(keyTab.getPrincipal().getName(),
+ GSSName.NT_HOSTBASED_SERVICE);
+ } else if (ticket != null) {
+ name = GssNameElement.getInstance(ticket.getClient().getName(),
+ GSSName.NT_HOSTBASED_SERVICE);
+ } else if (kerberosKeySet != null) {
+ name = GssNameElement.getInstance(
+ kerberosKeySet.iterator().next().getPrincipal().getName(),
+ GSSName.NT_HOSTBASED_SERVICE);
}
}
- return new GssAcceptCred(caller, name, keyTab, ticket, lifeTime);
+ return new GssAcceptCred(caller, name, keyTab, ticket, lifeTime, kerberosKeySet);
}
private static KeyTab getKeyTab(GssNameElement name) throws GSSException {
@@ -80,11 +91,13 @@ public final class GssAcceptCred extends GssCredElement {
}
}
- private GssAcceptCred(GSSCaller caller, GssNameElement name, KeyTab keyTab, KerberosTicket ticket, int lifeTime) {
+ private GssAcceptCred(GSSCaller caller, GssNameElement name, KeyTab keyTab,
+ KerberosTicket ticket, int lifeTime, Set<KerberosKey> kerberosKeySet) {
super(caller, name);
this.keyTab = keyTab;
this.ticket = ticket;
this.accLifeTime = lifeTime;
+ this.kerberosKeySet = kerberosKeySet;
}
public boolean isInitiatorCredential() throws GSSException {
@@ -105,7 +118,7 @@ public final class GssAcceptCred extends GssCredElement {
public KerberosKey[] getKeys() {
KerberosPrincipal princ = new KerberosPrincipal(name.getPrincipalName().getName(),
- name.getPrincipalName().getNameType().getValue());
+ name.getPrincipalName().getNameType().getValue());
if (keyTab != null) {
return keyTab.getKeys(princ);
}
@@ -119,4 +132,12 @@ public final class GssAcceptCred extends GssCredElement {
}
return null;
}
+
+ public KerberosKey[] getKerberosKeys() {
+ if (kerberosKeySet != null) {
+ return kerberosKeySet.toArray(new KerberosKey[kerberosKeySet.size()]);
+ }
+ return null;
+ }
+
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/ea45cc80/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssContext.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssContext.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssContext.java
index c719a1a..92e67d4 100644
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssContext.java
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssContext.java
@@ -435,8 +435,12 @@ public class GssContext implements GSSContextSpi {
int kvno = apReq.getTicket().getEncryptedEncPart().getKvno();
int encryptType = apReq.getTicket().getEncryptedEncPart().getEType().getValue();
- // Get server key from ticket
- EncryptionKey serverKey = acceptCred.getKeyFromTicket();
+ EncryptionKey serverKey = GssUtil.getEncryptionKey(acceptCred.getKerberosKeys(), encryptType, kvno);
+
+ if (serverKey == null) {
+ // Get server key from ticket
+ serverKey = acceptCred.getKeyFromTicket();
+ }
if (serverKey == null) {
// Otherwise get it from the keytab
serverKey = GssUtil.getEncryptionKey(acceptCred.getKeys(), encryptType, kvno);
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/ea45cc80/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssUtil.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssUtil.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssUtil.java
index 0ee6d2c..08e47df 100644
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssUtil.java
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gss/impl/GssUtil.java
@@ -348,7 +348,7 @@ public class GssUtil {
return null;
}
for (KerberosKey krbKey : krbKeys) {
- if (krbKey.getKeyType() == encType && krbKey.getVersionNumber() == kvno && !krbKey.isDestroyed()) {
+ if (krbKey.getKeyType() == encType && !krbKey.isDestroyed()) {
return new EncryptionKey(krbKey.getKeyType(), krbKey.getEncoded());
}
}