Search in sources :

Example 1 with KerberosKey

use of javax.security.auth.kerberos.KerberosKey in project jdk8u_jdk by JetBrains.

the class ServiceCredsCombination method check.

/**
     * Checks the correct bound
     * @param a get a creds for this principal, null for default one
     * @param b expected name, null for still unbound, "NOCRED" for no creds
     * @param objs princs, keys and keytabs in the subject
     */
private static void check(final String a, String b, Object... objs) throws Exception {
    Subject subj = new Subject();
    for (Object obj : objs) {
        if (obj instanceof KerberosPrincipal) {
            subj.getPrincipals().add((KerberosPrincipal) obj);
        } else if (obj instanceof KerberosKey || obj instanceof KeyTab) {
            subj.getPrivateCredentials().add(obj);
        }
    }
    final GSSManager man = GSSManager.getInstance();
    try {
        String result = Subject.doAs(subj, new PrivilegedExceptionAction<String>() {

            @Override
            public String run() throws GSSException {
                GSSCredential cred = man.createCredential(a == null ? null : man.createName(r(a), null), GSSCredential.INDEFINITE_LIFETIME, GSSUtil.GSS_KRB5_MECH_OID, GSSCredential.ACCEPT_ONLY);
                GSSName name = cred.getName();
                return name == null ? null : name.toString();
            }
        });
        if (!Objects.equals(result, r(b))) {
            throw new Exception("Check failed: getInstance(" + a + ") has name " + result + ", not " + b);
        }
    } catch (PrivilegedActionException e) {
        if (!"NOCRED".equals(b)) {
            throw new Exception("Check failed: getInstance(" + a + ") is null " + ", but not one with name " + b);
        }
    }
}
Also used : KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal) GSSName(org.ietf.jgss.GSSName) PrivilegedActionException(java.security.PrivilegedActionException) Subject(javax.security.auth.Subject) PrivilegedActionException(java.security.PrivilegedActionException) GSSException(org.ietf.jgss.GSSException) KerberosKey(javax.security.auth.kerberos.KerberosKey) GSSException(org.ietf.jgss.GSSException) KeyTab(javax.security.auth.kerberos.KeyTab) GSSCredential(org.ietf.jgss.GSSCredential) GSSManager(org.ietf.jgss.GSSManager)

Example 2 with KerberosKey

use of javax.security.auth.kerberos.KerberosKey in project zm-mailbox by Zimbra.

the class GssAuthenticator method getSubject.

private Subject getSubject(Krb5Keytab keytab, KerberosPrincipal kp) throws IOException {
    List<KerberosKey> keys = keytab.getKeys(kp);
    if (keys == null) {
        getLog().warn("Key not found in keystore for service principal '" + kp + "'");
        return null;
    }
    Subject subject = new Subject();
    subject.getPrincipals().add(kp);
    subject.getPrivateCredentials().addAll(keys);
    return subject;
}
Also used : KerberosKey(javax.security.auth.kerberos.KerberosKey) Subject(javax.security.auth.Subject)

Example 3 with KerberosKey

use of javax.security.auth.kerberos.KerberosKey in project jdk8u_jdk by JetBrains.

the class ServiceCreds method getEKeys.

/**
     * Gets EKeys for a principal.
     * @param princ the target name initiator requests. Not null.
     * @return keys for the princ, never null, might be empty
     */
public EncryptionKey[] getEKeys(PrincipalName princ) {
    if (destroyed) {
        throw new IllegalStateException("This object is destroyed");
    }
    KerberosKey[] kkeys = getKKeys(new KerberosPrincipal(princ.getName()));
    if (kkeys.length == 0) {
        // Fallback: old JDK does not perform real name checking. If the
        // acceptor has host.sun.com but initiator requests for host,
        // as long as their keys match (i.e. keys for one can decrypt
        // the other's service ticket), the authentication is OK.
        // There are real customers depending on this to use different
        // names for a single service.
        kkeys = getKKeys();
    }
    EncryptionKey[] ekeys = new EncryptionKey[kkeys.length];
    for (int i = 0; i < ekeys.length; i++) {
        ekeys[i] = new EncryptionKey(kkeys[i].getEncoded(), kkeys[i].getKeyType(), new Integer(kkeys[i].getVersionNumber()));
    }
    return ekeys;
}
Also used : KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal) KerberosKey(javax.security.auth.kerberos.KerberosKey) EncryptionKey(sun.security.krb5.EncryptionKey)

Example 4 with KerberosKey

use of javax.security.auth.kerberos.KerberosKey in project jdk8u_jdk by JetBrains.

the class GSSUtil method populateCredentials.

/**
     * Populates the set credentials with elements from gssCredentials. At
     * the same time, it converts any subclasses of KerberosTicket
     * into KerberosTicket instances and any subclasses of KerberosKey into
     * KerberosKey instances. (It is not desirable to expose the customer
     * to sun.security.jgss.krb5.Krb5InitCredential which extends
     * KerberosTicket and sun.security.jgss.krb5.Kbr5AcceptCredential which
     * extends KerberosKey.)
     */
private static void populateCredentials(Set<Object> credentials, Set<?> gssCredentials) {
    Object cred;
    Iterator<?> elements = gssCredentials.iterator();
    while (elements.hasNext()) {
        cred = elements.next();
        // Retrieve the internal cred out of SpNegoCredElement
        if (cred instanceof SpNegoCredElement) {
            cred = ((SpNegoCredElement) cred).getInternalCred();
        }
        if (cred instanceof KerberosTicket) {
            if (!cred.getClass().getName().equals("javax.security.auth.kerberos.KerberosTicket")) {
                KerberosTicket tempTkt = (KerberosTicket) cred;
                cred = new KerberosTicket(tempTkt.getEncoded(), tempTkt.getClient(), tempTkt.getServer(), tempTkt.getSessionKey().getEncoded(), tempTkt.getSessionKeyType(), tempTkt.getFlags(), tempTkt.getAuthTime(), tempTkt.getStartTime(), tempTkt.getEndTime(), tempTkt.getRenewTill(), tempTkt.getClientAddresses());
            }
            credentials.add(cred);
        } else if (cred instanceof KerberosKey) {
            if (!cred.getClass().getName().equals("javax.security.auth.kerberos.KerberosKey")) {
                KerberosKey tempKey = (KerberosKey) cred;
                cred = new KerberosKey(tempKey.getPrincipal(), tempKey.getEncoded(), tempKey.getKeyType(), tempKey.getVersionNumber());
            }
            credentials.add(cred);
        } else {
            // Ignore non-KerberosTicket and non-KerberosKey elements
            debug("Skipped cred element: " + cred);
        }
    }
}
Also used : KerberosKey(javax.security.auth.kerberos.KerberosKey) KerberosTicket(javax.security.auth.kerberos.KerberosTicket) SpNegoCredElement(sun.security.jgss.spnego.SpNegoCredElement)

Example 5 with KerberosKey

use of javax.security.auth.kerberos.KerberosKey in project jdk8u_jdk by JetBrains.

the class ServiceCreds method getInstance.

/**
     * Creates a ServiceCreds object based on info in a Subject for
     * a given principal name (if specified).
     * @return the object, or null if there is no private creds for it
     */
public static ServiceCreds getInstance(Subject subj, String serverPrincipal) {
    ServiceCreds sc = new ServiceCreds();
    sc.allPrincs = subj.getPrincipals(KerberosPrincipal.class);
    // Compatibility. A key implies its own principal
    for (KerberosKey key : SubjectComber.findMany(subj, serverPrincipal, null, KerberosKey.class)) {
        sc.allPrincs.add(key.getPrincipal());
    }
    if (serverPrincipal != null) {
        // A named principal
        sc.kp = new KerberosPrincipal(serverPrincipal);
    } else {
        // only one KerberosPrincipal and there is no unbound keytabs
        if (sc.allPrincs.size() == 1) {
            boolean hasUnbound = false;
            for (KeyTab ktab : SubjectComber.findMany(subj, null, null, KeyTab.class)) {
                if (!ktab.isBound()) {
                    hasUnbound = true;
                    break;
                }
            }
            if (!hasUnbound) {
                sc.kp = sc.allPrincs.iterator().next();
                serverPrincipal = sc.kp.getName();
            }
        }
    }
    sc.ktabs = SubjectComber.findMany(subj, serverPrincipal, null, KeyTab.class);
    sc.kk = SubjectComber.findMany(subj, serverPrincipal, null, KerberosKey.class);
    sc.tgt = SubjectComber.find(subj, null, serverPrincipal, KerberosTicket.class);
    if (sc.ktabs.isEmpty() && sc.kk.isEmpty() && sc.tgt == null) {
        return null;
    }
    sc.destroyed = false;
    return sc;
}
Also used : KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal) KerberosKey(javax.security.auth.kerberos.KerberosKey) KerberosTicket(javax.security.auth.kerberos.KerberosTicket) KeyTab(javax.security.auth.kerberos.KeyTab)

Aggregations

KerberosKey (javax.security.auth.kerberos.KerberosKey)13 KerberosPrincipal (javax.security.auth.kerberos.KerberosPrincipal)9 KerberosTicket (javax.security.auth.kerberos.KerberosTicket)5 PrivilegedActionException (java.security.PrivilegedActionException)3 Subject (javax.security.auth.Subject)3 KeyTab (javax.security.auth.kerberos.KeyTab)2 GSSException (org.ietf.jgss.GSSException)2 GSSManager (org.ietf.jgss.GSSManager)2 EncryptionKey (sun.security.krb5.EncryptionKey)2 AuthorizationDataEntry (com.sun.security.jgss.AuthorizationDataEntry)1 ExtendedGSSContext (com.sun.security.jgss.ExtendedGSSContext)1 EOFException (java.io.EOFException)1 FileOutputStream (java.io.FileOutputStream)1 IOException (java.io.IOException)1 InvocationTargetException (java.lang.reflect.InvocationTargetException)1 BigInteger (java.math.BigInteger)1 InetAddress (java.net.InetAddress)1 ByteBuffer (java.nio.ByteBuffer)1 Key (java.security.Key)1 Principal (java.security.Principal)1