use of javax.security.auth.kerberos.KerberosKey in project jdk8u_jdk by JetBrains.
the class KerberosClientKeyExchangeImpl method init.
/**
* Creates an instance of KerberosClientKeyExchange from its ASN.1 encoding.
* Used by ServerHandshaker to verify and obtain premaster secret.
*
* @param protocolVersion current protocol version
* @param clientVersion version requested by client in its ClientHello;
* used by premaster secret version check
* @param rand random number generator used for generating random
* premaster secret if ticket and/or premaster verification fails
* @param input inputstream from which to get ASN.1-encoded KerberosWrapper
* @param acc the AccessControlContext of the handshaker
* @param serviceCreds server's creds
*/
@Override
public void init(ProtocolVersion protocolVersion, ProtocolVersion clientVersion, SecureRandom rand, HandshakeInStream input, AccessControlContext acc, Object serviceCreds) throws IOException {
// Read ticket
encodedTicket = input.getBytes16();
if (debug != null && Debug.isOn("verbose")) {
Debug.println(System.out, "encoded Kerberos service ticket", encodedTicket);
}
EncryptionKey sessionKey = null;
try {
Ticket t = new Ticket(encodedTicket);
EncryptedData encPart = t.encPart;
PrincipalName ticketSname = t.sname;
final ServiceCreds creds = (ServiceCreds) serviceCreds;
final KerberosPrincipal princ = new KerberosPrincipal(ticketSname.toString());
// For bound service, permission already checked at setup
if (creds.getName() == null) {
SecurityManager sm = System.getSecurityManager();
try {
if (sm != null) {
// Eliminate dependency on ServicePermission
sm.checkPermission(Krb5Helper.getServicePermission(ticketSname.toString(), "accept"), acc);
}
} catch (SecurityException se) {
serviceCreds = null;
// Do not destroy keys. Will affect Subject
if (debug != null && Debug.isOn("handshake")) {
System.out.println("Permission to access Kerberos" + " secret key denied");
}
throw new IOException("Kerberos service not allowedy");
}
}
KerberosKey[] serverKeys = AccessController.doPrivileged(new PrivilegedAction<KerberosKey[]>() {
@Override
public KerberosKey[] run() {
return creds.getKKeys(princ);
}
});
if (serverKeys.length == 0) {
throw new IOException("Found no key for " + princ + (creds.getName() == null ? "" : (", this keytab is for " + creds.getName() + " only")));
}
/*
* permission to access and use the secret key of the Kerberized
* "host" service is done in ServerHandshaker.getKerberosKeys()
* to ensure server has the permission to use the secret key
* before promising the client
*/
// See if we have the right key to decrypt the ticket to get
// the session key.
int encPartKeyType = encPart.getEType();
Integer encPartKeyVersion = encPart.getKeyVersionNumber();
KerberosKey dkey = null;
try {
dkey = findKey(encPartKeyType, encPartKeyVersion, serverKeys);
} catch (KrbException ke) {
// a kvno mismatch
throw new IOException("Cannot find key matching version number", ke);
}
if (dkey == null) {
// %%% Should print string repr of etype
throw new IOException("Cannot find key of appropriate type" + " to decrypt ticket - need etype " + encPartKeyType);
}
EncryptionKey secretKey = new EncryptionKey(encPartKeyType, dkey.getEncoded());
// Decrypt encPart using server's secret key
byte[] bytes = encPart.decrypt(secretKey, KeyUsage.KU_TICKET);
// Reset data stream after decryption, remove redundant bytes
byte[] temp = encPart.reset(bytes);
EncTicketPart encTicketPart = new EncTicketPart(temp);
// Record the Kerberos Principals
peerPrincipal = new KerberosPrincipal(encTicketPart.cname.getName());
localPrincipal = new KerberosPrincipal(ticketSname.getName());
sessionKey = encTicketPart.key;
if (debug != null && Debug.isOn("handshake")) {
System.out.println("server principal: " + ticketSname);
System.out.println("cname: " + encTicketPart.cname.toString());
}
} catch (IOException e) {
throw e;
} catch (Exception e) {
if (debug != null && Debug.isOn("handshake")) {
System.out.println("KerberosWrapper error getting session key," + " generating random secret (" + e.getMessage() + ")");
}
sessionKey = null;
}
// XXX Read and ignore authenticator
input.getBytes16();
if (sessionKey != null) {
preMaster = new KerberosPreMasterSecret(protocolVersion, clientVersion, rand, input, sessionKey);
} else {
// Generate bogus premaster secret
preMaster = new KerberosPreMasterSecret(clientVersion, rand);
}
}
use of javax.security.auth.kerberos.KerberosKey in project jdk8u_jdk by JetBrains.
the class KerberosClientKeyExchangeImpl method findKey.
private static KerberosKey findKey(int etype, Integer version, KerberosKey[] keys) throws KrbException {
int ktype;
boolean etypeFound = false;
// When no matched kvno is found, returns tke key of the same
// etype with the highest kvno
int kvno_found = 0;
KerberosKey key_found = null;
for (int i = 0; i < keys.length; i++) {
ktype = keys[i].getKeyType();
if (etype == ktype) {
int kv = keys[i].getVersionNumber();
etypeFound = true;
if (versionMatches(version, kv)) {
return keys[i];
} else if (kv > kvno_found) {
key_found = keys[i];
kvno_found = kv;
}
}
}
// %%% kludge to allow DES keys to be used for diff etypes
if ((etype == EncryptedData.ETYPE_DES_CBC_CRC || etype == EncryptedData.ETYPE_DES_CBC_MD5)) {
for (int i = 0; i < keys.length; i++) {
ktype = keys[i].getKeyType();
if (ktype == EncryptedData.ETYPE_DES_CBC_CRC || ktype == EncryptedData.ETYPE_DES_CBC_MD5) {
int kv = keys[i].getVersionNumber();
etypeFound = true;
if (versionMatches(version, kv)) {
return new KerberosKey(keys[i].getPrincipal(), keys[i].getEncoded(), etype, kv);
} else if (kv > kvno_found) {
key_found = new KerberosKey(keys[i].getPrincipal(), keys[i].getEncoded(), etype, kv);
kvno_found = kv;
}
}
}
}
if (etypeFound) {
return key_found;
}
return null;
}
use of javax.security.auth.kerberos.KerberosKey in project jdk8u_jdk by JetBrains.
the class KPEquals method main.
public static void main(String[] args) throws Exception {
new OneKDC(null).writeJAASConf();
Context c = Context.fromJAAS("client");
Context s = Context.fromThinAir();
KerberosPrincipal kp = new KerberosPrincipal(OneKDC.SERVER + "@" + OneKDC.REALM, KerberosPrincipal.KRB_NT_SRV_INST);
s.s().getPrincipals().add(kp);
for (KerberosKey k : KeyTab.getInstance(kp).getKeys(kp)) {
s.s().getPrivateCredentials().add(k);
}
c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID);
s.startAsServer(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID);
Context.handshake(c, s);
}
use of javax.security.auth.kerberos.KerberosKey in project jdk8u_jdk by JetBrains.
the class KerberosHashEqualsTest method check.
void check() throws Exception {
// The key part:
// new KerberosKey(principal, bytes, keyType, version)
KerberosKey k1, k2;
KerberosPrincipal CLIENT = new KerberosPrincipal("client");
KerberosPrincipal SERVER = new KerberosPrincipal("server");
byte[] PASS = "pass".getBytes();
k1 = new KerberosKey(CLIENT, PASS, 1, 1);
k2 = new KerberosKey(CLIENT, PASS, 1, 1);
// me is me
checkSame(k1, k1);
// same
checkSame(k1, k2);
// A destroyed key doesn't equal to any key
k2.destroy();
checkNotSame(k1, k2);
checkNotSame(k2, k1);
k1.destroy();
// even if they are both destroyed
checkNotSame(k1, k2);
checkNotSame(k2, k1);
checkSame(k2, k2);
// a little difference means not equal
k1 = new KerberosKey(CLIENT, PASS, 1, 1);
k2 = new KerberosKey(SERVER, PASS, 1, 1);
// Different principal name
checkNotSame(k1, k2);
k2 = new KerberosKey(CLIENT, "ssap".getBytes(), 1, 1);
// Different password
checkNotSame(k1, k2);
k2 = new KerberosKey(CLIENT, PASS, 2, 1);
// Different keytype
checkNotSame(k1, k2);
k2 = new KerberosKey(CLIENT, PASS, 1, 2);
// Different version
checkNotSame(k1, k2);
k2 = new KerberosKey(null, PASS, 1, 2);
// null is not non-null
checkNotSame(k1, k2);
k1 = new KerberosKey(null, PASS, 1, 2);
// null is null
checkSame(k1, k2);
checkNotSame(k1, "Another Object");
// The ticket part:
// new KerberosTicket(asn1 bytes, client, server, session key, type, flags,
// auth, start, end, renewUntil times, address)
KerberosTicket t1, t2;
byte[] ASN1 = "asn1".getBytes();
boolean[] FORWARDABLE = new boolean[] { true, true };
boolean[] ALLTRUE = new boolean[] { true, true, true, true, true, true, true, true, true, true };
Date D0 = new Date(0);
t1 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, FORWARDABLE, D0, D0, D0, D0, null);
t2 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, FORWARDABLE, D0, D0, D0, D0, null);
checkSame(t1, t1);
checkSame(t1, t2);
// destroyed tickets doesn't equal to each other
t1.destroy();
checkNotSame(t1, t2);
checkNotSame(t2, t1);
t2.destroy();
// even if they are both destroyed
checkNotSame(t1, t2);
checkNotSame(t2, t1);
// unless they are the same object
checkSame(t2, t2);
// a little difference means not equal
t1 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, FORWARDABLE, D0, D0, D0, D0, null);
t2 = new KerberosTicket("asn11".getBytes(), CLIENT, SERVER, PASS, 1, FORWARDABLE, D0, D0, D0, D0, null);
// Different ASN1 encoding
checkNotSame(t1, t2);
t2 = new KerberosTicket(ASN1, new KerberosPrincipal("client1"), SERVER, PASS, 1, FORWARDABLE, D0, D0, D0, D0, null);
// Different client
checkNotSame(t1, t2);
t2 = new KerberosTicket(ASN1, CLIENT, new KerberosPrincipal("server1"), PASS, 1, FORWARDABLE, D0, D0, D0, D0, null);
// Different server
checkNotSame(t1, t2);
t2 = new KerberosTicket(ASN1, CLIENT, SERVER, "pass1".getBytes(), 1, FORWARDABLE, D0, D0, D0, D0, null);
// Different session key
checkNotSame(t1, t2);
t2 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 2, FORWARDABLE, D0, D0, D0, D0, null);
// Different key type
checkNotSame(t1, t2);
t2 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, new boolean[] { true, false }, D0, D0, D0, D0, null);
// Different flags, not FORWARDABLE
checkNotSame(t1, t2);
t2 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, FORWARDABLE, new Date(1), D0, D0, D0, null);
// Different authtime
checkNotSame(t1, t2);
t2 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, FORWARDABLE, D0, new Date(1), D0, D0, null);
// Different starttime
checkNotSame(t1, t2);
t2 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, FORWARDABLE, D0, D0, new Date(1), D0, null);
// Different endtime
checkNotSame(t1, t2);
t2 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, FORWARDABLE, D0, D0, D0, D0, new InetAddress[2]);
// Different client addresses
checkNotSame(t1, t2);
t2 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, FORWARDABLE, D0, D0, D0, new Date(1), null);
t1 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, FORWARDABLE, D0, D0, D0, new Date(2), null);
// renewtill is ignored when RENEWABLE ticket flag is not set.
checkSame(t1, t2);
t2 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, ALLTRUE, D0, D0, D0, new Date(1), null);
t1 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, ALLTRUE, D0, D0, D0, new Date(2), null);
// renewtill is used when RENEWABLE is set.
checkNotSame(t1, t2);
checkNotSame(t1, "Another Object");
System.out.println("Good!");
}
use of javax.security.auth.kerberos.KerberosKey in project jdk8u_jdk by JetBrains.
the class KrbCredSubKey method main.
public static void main(String[] args) throws Exception {
// We don't care about clock difference
new FileOutputStream("krb5.conf").write("[libdefaults]\nclockskew=999999999".getBytes());
System.setProperty("java.security.krb5.conf", "krb5.conf");
Config.refresh();
Subject subj = new Subject();
KerberosPrincipal kp = new KerberosPrincipal(princ);
KerberosKey kk = new KerberosKey(kp, key, EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96, 0);
subj.getPrincipals().add(kp);
subj.getPrivateCredentials().add(kk);
Subject.doAs(subj, new PrivilegedExceptionAction() {
public Object run() throws Exception {
GSSManager man = GSSManager.getInstance();
GSSContext ctxt = man.createContext(man.createCredential(null, GSSCredential.INDEFINITE_LIFETIME, GSSUtil.GSS_KRB5_MECH_OID, GSSCredential.ACCEPT_ONLY));
return ctxt.acceptSecContext(token, 0, token.length);
}
});
}
Aggregations