Search in sources :

Example 6 with KerberosKey

use of javax.security.auth.kerberos.KerberosKey in project jdk8u_jdk by JetBrains.

the class KerberosClientKeyExchangeImpl method init.

/**
     * Creates an instance of KerberosClientKeyExchange from its ASN.1 encoding.
     * Used by ServerHandshaker to verify and obtain premaster secret.
     *
     * @param protocolVersion current protocol version
     * @param clientVersion version requested by client in its ClientHello;
     *          used by premaster secret version check
     * @param rand random number generator used for generating random
     *          premaster secret if ticket and/or premaster verification fails
     * @param input inputstream from which to get ASN.1-encoded KerberosWrapper
     * @param acc the AccessControlContext of the handshaker
     * @param serviceCreds server's creds
     */
@Override
public void init(ProtocolVersion protocolVersion, ProtocolVersion clientVersion, SecureRandom rand, HandshakeInStream input, AccessControlContext acc, Object serviceCreds) throws IOException {
    // Read ticket
    encodedTicket = input.getBytes16();
    if (debug != null && Debug.isOn("verbose")) {
        Debug.println(System.out, "encoded Kerberos service ticket", encodedTicket);
    }
    EncryptionKey sessionKey = null;
    try {
        Ticket t = new Ticket(encodedTicket);
        EncryptedData encPart = t.encPart;
        PrincipalName ticketSname = t.sname;
        final ServiceCreds creds = (ServiceCreds) serviceCreds;
        final KerberosPrincipal princ = new KerberosPrincipal(ticketSname.toString());
        // For bound service, permission already checked at setup
        if (creds.getName() == null) {
            SecurityManager sm = System.getSecurityManager();
            try {
                if (sm != null) {
                    // Eliminate dependency on ServicePermission
                    sm.checkPermission(Krb5Helper.getServicePermission(ticketSname.toString(), "accept"), acc);
                }
            } catch (SecurityException se) {
                serviceCreds = null;
                // Do not destroy keys. Will affect Subject
                if (debug != null && Debug.isOn("handshake")) {
                    System.out.println("Permission to access Kerberos" + " secret key denied");
                }
                throw new IOException("Kerberos service not allowedy");
            }
        }
        KerberosKey[] serverKeys = AccessController.doPrivileged(new PrivilegedAction<KerberosKey[]>() {

            @Override
            public KerberosKey[] run() {
                return creds.getKKeys(princ);
            }
        });
        if (serverKeys.length == 0) {
            throw new IOException("Found no key for " + princ + (creds.getName() == null ? "" : (", this keytab is for " + creds.getName() + " only")));
        }
        /*
             * permission to access and use the secret key of the Kerberized
             * "host" service is done in ServerHandshaker.getKerberosKeys()
             * to ensure server has the permission to use the secret key
             * before promising the client
             */
        // See if we have the right key to decrypt the ticket to get
        // the session key.
        int encPartKeyType = encPart.getEType();
        Integer encPartKeyVersion = encPart.getKeyVersionNumber();
        KerberosKey dkey = null;
        try {
            dkey = findKey(encPartKeyType, encPartKeyVersion, serverKeys);
        } catch (KrbException ke) {
            // a kvno mismatch
            throw new IOException("Cannot find key matching version number", ke);
        }
        if (dkey == null) {
            // %%% Should print string repr of etype
            throw new IOException("Cannot find key of appropriate type" + " to decrypt ticket - need etype " + encPartKeyType);
        }
        EncryptionKey secretKey = new EncryptionKey(encPartKeyType, dkey.getEncoded());
        // Decrypt encPart using server's secret key
        byte[] bytes = encPart.decrypt(secretKey, KeyUsage.KU_TICKET);
        // Reset data stream after decryption, remove redundant bytes
        byte[] temp = encPart.reset(bytes);
        EncTicketPart encTicketPart = new EncTicketPart(temp);
        // Record the Kerberos Principals
        peerPrincipal = new KerberosPrincipal(encTicketPart.cname.getName());
        localPrincipal = new KerberosPrincipal(ticketSname.getName());
        sessionKey = encTicketPart.key;
        if (debug != null && Debug.isOn("handshake")) {
            System.out.println("server principal: " + ticketSname);
            System.out.println("cname: " + encTicketPart.cname.toString());
        }
    } catch (IOException e) {
        throw e;
    } catch (Exception e) {
        if (debug != null && Debug.isOn("handshake")) {
            System.out.println("KerberosWrapper error getting session key," + " generating random secret (" + e.getMessage() + ")");
        }
        sessionKey = null;
    }
    // XXX Read and ignore authenticator
    input.getBytes16();
    if (sessionKey != null) {
        preMaster = new KerberosPreMasterSecret(protocolVersion, clientVersion, rand, input, sessionKey);
    } else {
        // Generate bogus premaster secret
        preMaster = new KerberosPreMasterSecret(clientVersion, rand);
    }
}
Also used : Ticket(sun.security.krb5.internal.Ticket) KerberosTicket(javax.security.auth.kerberos.KerberosTicket) KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal) ServiceCreds(sun.security.jgss.krb5.ServiceCreds) EncryptionKey(sun.security.krb5.EncryptionKey) PrincipalName(sun.security.krb5.PrincipalName) IOException(java.io.IOException) EncTicketPart(sun.security.krb5.internal.EncTicketPart) KrbException(sun.security.krb5.KrbException) PrivilegedActionException(java.security.PrivilegedActionException) IOException(java.io.IOException) KerberosKey(javax.security.auth.kerberos.KerberosKey) KrbException(sun.security.krb5.KrbException) EncryptedData(sun.security.krb5.EncryptedData)

Example 7 with KerberosKey

use of javax.security.auth.kerberos.KerberosKey in project jdk8u_jdk by JetBrains.

the class KerberosClientKeyExchangeImpl method findKey.

private static KerberosKey findKey(int etype, Integer version, KerberosKey[] keys) throws KrbException {
    int ktype;
    boolean etypeFound = false;
    // When no matched kvno is found, returns tke key of the same
    // etype with the highest kvno
    int kvno_found = 0;
    KerberosKey key_found = null;
    for (int i = 0; i < keys.length; i++) {
        ktype = keys[i].getKeyType();
        if (etype == ktype) {
            int kv = keys[i].getVersionNumber();
            etypeFound = true;
            if (versionMatches(version, kv)) {
                return keys[i];
            } else if (kv > kvno_found) {
                key_found = keys[i];
                kvno_found = kv;
            }
        }
    }
    // %%% kludge to allow DES keys to be used for diff etypes
    if ((etype == EncryptedData.ETYPE_DES_CBC_CRC || etype == EncryptedData.ETYPE_DES_CBC_MD5)) {
        for (int i = 0; i < keys.length; i++) {
            ktype = keys[i].getKeyType();
            if (ktype == EncryptedData.ETYPE_DES_CBC_CRC || ktype == EncryptedData.ETYPE_DES_CBC_MD5) {
                int kv = keys[i].getVersionNumber();
                etypeFound = true;
                if (versionMatches(version, kv)) {
                    return new KerberosKey(keys[i].getPrincipal(), keys[i].getEncoded(), etype, kv);
                } else if (kv > kvno_found) {
                    key_found = new KerberosKey(keys[i].getPrincipal(), keys[i].getEncoded(), etype, kv);
                    kvno_found = kv;
                }
            }
        }
    }
    if (etypeFound) {
        return key_found;
    }
    return null;
}
Also used : KerberosKey(javax.security.auth.kerberos.KerberosKey)

Example 8 with KerberosKey

use of javax.security.auth.kerberos.KerberosKey in project jdk8u_jdk by JetBrains.

the class KPEquals method main.

public static void main(String[] args) throws Exception {
    new OneKDC(null).writeJAASConf();
    Context c = Context.fromJAAS("client");
    Context s = Context.fromThinAir();
    KerberosPrincipal kp = new KerberosPrincipal(OneKDC.SERVER + "@" + OneKDC.REALM, KerberosPrincipal.KRB_NT_SRV_INST);
    s.s().getPrincipals().add(kp);
    for (KerberosKey k : KeyTab.getInstance(kp).getKeys(kp)) {
        s.s().getPrivateCredentials().add(k);
    }
    c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID);
    s.startAsServer(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID);
    Context.handshake(c, s);
}
Also used : KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal) KerberosKey(javax.security.auth.kerberos.KerberosKey)

Example 9 with KerberosKey

use of javax.security.auth.kerberos.KerberosKey in project jdk8u_jdk by JetBrains.

the class KerberosHashEqualsTest method check.

void check() throws Exception {
    // The key part:
    // new KerberosKey(principal, bytes, keyType, version)
    KerberosKey k1, k2;
    KerberosPrincipal CLIENT = new KerberosPrincipal("client");
    KerberosPrincipal SERVER = new KerberosPrincipal("server");
    byte[] PASS = "pass".getBytes();
    k1 = new KerberosKey(CLIENT, PASS, 1, 1);
    k2 = new KerberosKey(CLIENT, PASS, 1, 1);
    // me is me
    checkSame(k1, k1);
    // same
    checkSame(k1, k2);
    // A destroyed key doesn't equal to any key
    k2.destroy();
    checkNotSame(k1, k2);
    checkNotSame(k2, k1);
    k1.destroy();
    // even if they are both destroyed
    checkNotSame(k1, k2);
    checkNotSame(k2, k1);
    checkSame(k2, k2);
    // a little difference means not equal
    k1 = new KerberosKey(CLIENT, PASS, 1, 1);
    k2 = new KerberosKey(SERVER, PASS, 1, 1);
    // Different principal name
    checkNotSame(k1, k2);
    k2 = new KerberosKey(CLIENT, "ssap".getBytes(), 1, 1);
    // Different password
    checkNotSame(k1, k2);
    k2 = new KerberosKey(CLIENT, PASS, 2, 1);
    // Different keytype
    checkNotSame(k1, k2);
    k2 = new KerberosKey(CLIENT, PASS, 1, 2);
    // Different version
    checkNotSame(k1, k2);
    k2 = new KerberosKey(null, PASS, 1, 2);
    // null is not non-null
    checkNotSame(k1, k2);
    k1 = new KerberosKey(null, PASS, 1, 2);
    // null is null
    checkSame(k1, k2);
    checkNotSame(k1, "Another Object");
    // The ticket part:
    // new KerberosTicket(asn1 bytes, client, server, session key, type, flags,
    //      auth, start, end, renewUntil times, address)
    KerberosTicket t1, t2;
    byte[] ASN1 = "asn1".getBytes();
    boolean[] FORWARDABLE = new boolean[] { true, true };
    boolean[] ALLTRUE = new boolean[] { true, true, true, true, true, true, true, true, true, true };
    Date D0 = new Date(0);
    t1 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, FORWARDABLE, D0, D0, D0, D0, null);
    t2 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, FORWARDABLE, D0, D0, D0, D0, null);
    checkSame(t1, t1);
    checkSame(t1, t2);
    // destroyed tickets doesn't equal to each other
    t1.destroy();
    checkNotSame(t1, t2);
    checkNotSame(t2, t1);
    t2.destroy();
    // even if they are both destroyed
    checkNotSame(t1, t2);
    checkNotSame(t2, t1);
    // unless they are the same object
    checkSame(t2, t2);
    // a little difference means not equal
    t1 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, FORWARDABLE, D0, D0, D0, D0, null);
    t2 = new KerberosTicket("asn11".getBytes(), CLIENT, SERVER, PASS, 1, FORWARDABLE, D0, D0, D0, D0, null);
    // Different ASN1 encoding
    checkNotSame(t1, t2);
    t2 = new KerberosTicket(ASN1, new KerberosPrincipal("client1"), SERVER, PASS, 1, FORWARDABLE, D0, D0, D0, D0, null);
    // Different client
    checkNotSame(t1, t2);
    t2 = new KerberosTicket(ASN1, CLIENT, new KerberosPrincipal("server1"), PASS, 1, FORWARDABLE, D0, D0, D0, D0, null);
    // Different server
    checkNotSame(t1, t2);
    t2 = new KerberosTicket(ASN1, CLIENT, SERVER, "pass1".getBytes(), 1, FORWARDABLE, D0, D0, D0, D0, null);
    // Different session key
    checkNotSame(t1, t2);
    t2 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 2, FORWARDABLE, D0, D0, D0, D0, null);
    // Different key type
    checkNotSame(t1, t2);
    t2 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, new boolean[] { true, false }, D0, D0, D0, D0, null);
    // Different flags, not FORWARDABLE
    checkNotSame(t1, t2);
    t2 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, FORWARDABLE, new Date(1), D0, D0, D0, null);
    // Different authtime
    checkNotSame(t1, t2);
    t2 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, FORWARDABLE, D0, new Date(1), D0, D0, null);
    // Different starttime
    checkNotSame(t1, t2);
    t2 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, FORWARDABLE, D0, D0, new Date(1), D0, null);
    // Different endtime
    checkNotSame(t1, t2);
    t2 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, FORWARDABLE, D0, D0, D0, D0, new InetAddress[2]);
    // Different client addresses
    checkNotSame(t1, t2);
    t2 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, FORWARDABLE, D0, D0, D0, new Date(1), null);
    t1 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, FORWARDABLE, D0, D0, D0, new Date(2), null);
    // renewtill is ignored when RENEWABLE ticket flag is not set.
    checkSame(t1, t2);
    t2 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, ALLTRUE, D0, D0, D0, new Date(1), null);
    t1 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, ALLTRUE, D0, D0, D0, new Date(2), null);
    // renewtill is used when RENEWABLE is set.
    checkNotSame(t1, t2);
    checkNotSame(t1, "Another Object");
    System.out.println("Good!");
}
Also used : KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal) KerberosKey(javax.security.auth.kerberos.KerberosKey) KerberosTicket(javax.security.auth.kerberos.KerberosTicket) InetAddress(java.net.InetAddress) Date(java.util.Date)

Example 10 with KerberosKey

use of javax.security.auth.kerberos.KerberosKey in project jdk8u_jdk by JetBrains.

the class KrbCredSubKey method main.

public static void main(String[] args) throws Exception {
    // We don't care about clock difference
    new FileOutputStream("krb5.conf").write("[libdefaults]\nclockskew=999999999".getBytes());
    System.setProperty("java.security.krb5.conf", "krb5.conf");
    Config.refresh();
    Subject subj = new Subject();
    KerberosPrincipal kp = new KerberosPrincipal(princ);
    KerberosKey kk = new KerberosKey(kp, key, EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96, 0);
    subj.getPrincipals().add(kp);
    subj.getPrivateCredentials().add(kk);
    Subject.doAs(subj, new PrivilegedExceptionAction() {

        public Object run() throws Exception {
            GSSManager man = GSSManager.getInstance();
            GSSContext ctxt = man.createContext(man.createCredential(null, GSSCredential.INDEFINITE_LIFETIME, GSSUtil.GSS_KRB5_MECH_OID, GSSCredential.ACCEPT_ONLY));
            return ctxt.acceptSecContext(token, 0, token.length);
        }
    });
}
Also used : KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal) KerberosKey(javax.security.auth.kerberos.KerberosKey) FileOutputStream(java.io.FileOutputStream) GSSManager(org.ietf.jgss.GSSManager) GSSContext(org.ietf.jgss.GSSContext) PrivilegedExceptionAction(java.security.PrivilegedExceptionAction) Subject(javax.security.auth.Subject)

Aggregations

KerberosKey (javax.security.auth.kerberos.KerberosKey)13 KerberosPrincipal (javax.security.auth.kerberos.KerberosPrincipal)9 KerberosTicket (javax.security.auth.kerberos.KerberosTicket)5 PrivilegedActionException (java.security.PrivilegedActionException)3 Subject (javax.security.auth.Subject)3 KeyTab (javax.security.auth.kerberos.KeyTab)2 GSSException (org.ietf.jgss.GSSException)2 GSSManager (org.ietf.jgss.GSSManager)2 EncryptionKey (sun.security.krb5.EncryptionKey)2 AuthorizationDataEntry (com.sun.security.jgss.AuthorizationDataEntry)1 ExtendedGSSContext (com.sun.security.jgss.ExtendedGSSContext)1 EOFException (java.io.EOFException)1 FileOutputStream (java.io.FileOutputStream)1 IOException (java.io.IOException)1 InvocationTargetException (java.lang.reflect.InvocationTargetException)1 BigInteger (java.math.BigInteger)1 InetAddress (java.net.InetAddress)1 ByteBuffer (java.nio.ByteBuffer)1 Key (java.security.Key)1 Principal (java.security.Principal)1