Examples with KerberosKey javax.security.auth.kerberos.KerberosKey used on opensource projects

Example 1 with KerberosKey

use of javax.security.auth.kerberos.KerberosKey in project jdk8u_jdk by JetBrains.

the class ServiceCredsCombination method check.

/**
     * Checks the correct bound
     * @param a get a creds for this principal, null for default one
     * @param b expected name, null for still unbound, "NOCRED" for no creds
     * @param objs princs, keys and keytabs in the subject
     */
private static void check(final String a, String b, Object... objs) throws Exception {
    Subject subj = new Subject();
    for (Object obj : objs) {
        if (obj instanceof KerberosPrincipal) {
            subj.getPrincipals().add((KerberosPrincipal) obj);
        } else if (obj instanceof KerberosKey || obj instanceof KeyTab) {
            subj.getPrivateCredentials().add(obj);
        }
    }
    final GSSManager man = GSSManager.getInstance();
    try {
        String result = Subject.doAs(subj, new PrivilegedExceptionAction<String>() {

            @Override
            public String run() throws GSSException {
                GSSCredential cred = man.createCredential(a == null ? null : man.createName(r(a), null), GSSCredential.INDEFINITE_LIFETIME, GSSUtil.GSS_KRB5_MECH_OID, GSSCredential.ACCEPT_ONLY);
                GSSName name = cred.getName();
                return name == null ? null : name.toString();
            }
        });
        if (!Objects.equals(result, r(b))) {
            throw new Exception("Check failed: getInstance(" + a + ") has name " + result + ", not " + b);
        }
    } catch (PrivilegedActionException e) {
        if (!"NOCRED".equals(b)) {
            throw new Exception("Check failed: getInstance(" + a + ") is null " + ", but not one with name " + b);
        }
    }
}

Example 2 with KerberosKey

use of javax.security.auth.kerberos.KerberosKey in project zm-mailbox by Zimbra.

the class GssAuthenticator method getSubject.

private Subject getSubject(Krb5Keytab keytab, KerberosPrincipal kp) throws IOException {
    List<KerberosKey> keys = keytab.getKeys(kp);
    if (keys == null) {
        getLog().warn("Key not found in keystore for service principal '" + kp + "'");
        return null;
    }
    Subject subject = new Subject();
    subject.getPrincipals().add(kp);
    subject.getPrivateCredentials().addAll(keys);
    return subject;
}

Example 3 with KerberosKey

use of javax.security.auth.kerberos.KerberosKey in project jdk8u_jdk by JetBrains.

the class ServiceCreds method getEKeys.

/**
     * Gets EKeys for a principal.
     * @param princ the target name initiator requests. Not null.
     * @return keys for the princ, never null, might be empty
     */
public EncryptionKey[] getEKeys(PrincipalName princ) {
    if (destroyed) {
        throw new IllegalStateException("This object is destroyed");
    }
    KerberosKey[] kkeys = getKKeys(new KerberosPrincipal(princ.getName()));
    if (kkeys.length == 0) {
        // Fallback: old JDK does not perform real name checking. If the
        // acceptor has host.sun.com but initiator requests for host,
        // as long as their keys match (i.e. keys for one can decrypt
        // the other's service ticket), the authentication is OK.
        // There are real customers depending on this to use different
        // names for a single service.
        kkeys = getKKeys();
    }
    EncryptionKey[] ekeys = new EncryptionKey[kkeys.length];
    for (int i = 0; i < ekeys.length; i++) {
        ekeys[i] = new EncryptionKey(kkeys[i].getEncoded(), kkeys[i].getKeyType(), new Integer(kkeys[i].getVersionNumber()));
    }
    return ekeys;
}

Example 4 with KerberosKey

use of javax.security.auth.kerberos.KerberosKey in project jdk8u_jdk by JetBrains.

the class GSSUtil method populateCredentials.

/**
     * Populates the set credentials with elements from gssCredentials. At
     * the same time, it converts any subclasses of KerberosTicket
     * into KerberosTicket instances and any subclasses of KerberosKey into
     * KerberosKey instances. (It is not desirable to expose the customer
     * to sun.security.jgss.krb5.Krb5InitCredential which extends
     * KerberosTicket and sun.security.jgss.krb5.Kbr5AcceptCredential which
     * extends KerberosKey.)
     */
private static void populateCredentials(Set<Object> credentials, Set<?> gssCredentials) {
    Object cred;
    Iterator<?> elements = gssCredentials.iterator();
    while (elements.hasNext()) {
        cred = elements.next();
        // Retrieve the internal cred out of SpNegoCredElement
        if (cred instanceof SpNegoCredElement) {
            cred = ((SpNegoCredElement) cred).getInternalCred();
        }
        if (cred instanceof KerberosTicket) {
            if (!cred.getClass().getName().equals("javax.security.auth.kerberos.KerberosTicket")) {
                KerberosTicket tempTkt = (KerberosTicket) cred;
                cred = new KerberosTicket(tempTkt.getEncoded(), tempTkt.getClient(), tempTkt.getServer(), tempTkt.getSessionKey().getEncoded(), tempTkt.getSessionKeyType(), tempTkt.getFlags(), tempTkt.getAuthTime(), tempTkt.getStartTime(), tempTkt.getEndTime(), tempTkt.getRenewTill(), tempTkt.getClientAddresses());
            }
            credentials.add(cred);
        } else if (cred instanceof KerberosKey) {
            if (!cred.getClass().getName().equals("javax.security.auth.kerberos.KerberosKey")) {
                KerberosKey tempKey = (KerberosKey) cred;
                cred = new KerberosKey(tempKey.getPrincipal(), tempKey.getEncoded(), tempKey.getKeyType(), tempKey.getVersionNumber());
            }
            credentials.add(cred);
        } else {
            // Ignore non-KerberosTicket and non-KerberosKey elements
            debug("Skipped cred element: " + cred);
        }
    }
}

Example 5 with KerberosKey

use of javax.security.auth.kerberos.KerberosKey in project jdk8u_jdk by JetBrains.

the class ServiceCreds method getInstance.

/**
     * Creates a ServiceCreds object based on info in a Subject for
     * a given principal name (if specified).
     * @return the object, or null if there is no private creds for it
     */
public static ServiceCreds getInstance(Subject subj, String serverPrincipal) {
    ServiceCreds sc = new ServiceCreds();
    sc.allPrincs = subj.getPrincipals(KerberosPrincipal.class);
    // Compatibility. A key implies its own principal
    for (KerberosKey key : SubjectComber.findMany(subj, serverPrincipal, null, KerberosKey.class)) {
        sc.allPrincs.add(key.getPrincipal());
    }
    if (serverPrincipal != null) {
        // A named principal
        sc.kp = new KerberosPrincipal(serverPrincipal);
    } else {
        // only one KerberosPrincipal and there is no unbound keytabs
        if (sc.allPrincs.size() == 1) {
            boolean hasUnbound = false;
            for (KeyTab ktab : SubjectComber.findMany(subj, null, null, KeyTab.class)) {
                if (!ktab.isBound()) {
                    hasUnbound = true;
                    break;
                }
            }
            if (!hasUnbound) {
                sc.kp = sc.allPrincs.iterator().next();
                serverPrincipal = sc.kp.getName();
            }
        }
    }
    sc.ktabs = SubjectComber.findMany(subj, serverPrincipal, null, KeyTab.class);
    sc.kk = SubjectComber.findMany(subj, serverPrincipal, null, KerberosKey.class);
    sc.tgt = SubjectComber.find(subj, null, serverPrincipal, KerberosTicket.class);
    if (sc.ktabs.isEmpty() && sc.kk.isEmpty() && sc.tgt == null) {
        return null;
    }
    sc.destroyed = false;
    return sc;
}