Example 6 with KerberosKey
use of javax.security.auth.kerberos.KerberosKey in project jdk8u_jdk by JetBrains.
the class KerberosClientKeyExchangeImpl method init.
/**
* Creates an instance of KerberosClientKeyExchange from its ASN.1 encoding.
* Used by ServerHandshaker to verify and obtain premaster secret.
*
* @param protocolVersion current protocol version
* @param clientVersion version requested by client in its ClientHello;
* used by premaster secret version check
* @param rand random number generator used for generating random
* premaster secret if ticket and/or premaster verification fails
* @param input inputstream from which to get ASN.1-encoded KerberosWrapper
* @param acc the AccessControlContext of the handshaker
* @param serviceCreds server's creds
*/
@Override
public void init(ProtocolVersion protocolVersion, ProtocolVersion clientVersion, SecureRandom rand, HandshakeInStream input, AccessControlContext acc, Object serviceCreds) throws IOException {
// Read ticket
encodedTicket = input.getBytes16();
if (debug != null && Debug.isOn("verbose")) {
Debug.println(System.out, "encoded Kerberos service ticket", encodedTicket);
}
EncryptionKey sessionKey = null;
try {
Ticket t = new Ticket(encodedTicket);
EncryptedData encPart = t.encPart;
PrincipalName ticketSname = t.sname;
final ServiceCreds creds = (ServiceCreds) serviceCreds;
final KerberosPrincipal princ = new KerberosPrincipal(ticketSname.toString());
// For bound service, permission already checked at setup
if (creds.getName() == null) {
SecurityManager sm = System.getSecurityManager();
try {
if (sm != null) {
// Eliminate dependency on ServicePermission
sm.checkPermission(Krb5Helper.getServicePermission(ticketSname.toString(), "accept"), acc);
}
} catch (SecurityException se) {
serviceCreds = null;
// Do not destroy keys. Will affect Subject
if (debug != null && Debug.isOn("handshake")) {
System.out.println("Permission to access Kerberos" + " secret key denied");
}
throw new IOException("Kerberos service not allowedy");
}
}
KerberosKey[] serverKeys = AccessController.doPrivileged(new PrivilegedAction<KerberosKey[]>() {
@Override
public KerberosKey[] run() {
return creds.getKKeys(princ);
}
});
if (serverKeys.length == 0) {
throw new IOException("Found no key for " + princ + (creds.getName() == null ? "" : (", this keytab is for " + creds.getName() + " only")));
}
/*
* permission to access and use the secret key of the Kerberized
* "host" service is done in ServerHandshaker.getKerberosKeys()
* to ensure server has the permission to use the secret key
* before promising the client
*/
// See if we have the right key to decrypt the ticket to get
// the session key.
int encPartKeyType = encPart.getEType();
Integer encPartKeyVersion = encPart.getKeyVersionNumber();
KerberosKey dkey = null;
try {
dkey = findKey(encPartKeyType, encPartKeyVersion, serverKeys);
} catch (KrbException ke) {
// a kvno mismatch
throw new IOException("Cannot find key matching version number", ke);
}
if (dkey == null) {
// %%% Should print string repr of etype
throw new IOException("Cannot find key of appropriate type" + " to decrypt ticket - need etype " + encPartKeyType);
}
EncryptionKey secretKey = new EncryptionKey(encPartKeyType, dkey.getEncoded());
// Decrypt encPart using server's secret key
byte[] bytes = encPart.decrypt(secretKey, KeyUsage.KU_TICKET);
// Reset data stream after decryption, remove redundant bytes
byte[] temp = encPart.reset(bytes);
EncTicketPart encTicketPart = new EncTicketPart(temp);
// Record the Kerberos Principals
peerPrincipal = new KerberosPrincipal(encTicketPart.cname.getName());
localPrincipal = new KerberosPrincipal(ticketSname.getName());
sessionKey = encTicketPart.key;
if (debug != null && Debug.isOn("handshake")) {
System.out.println("server principal: " + ticketSname);
System.out.println("cname: " + encTicketPart.cname.toString());
}
} catch (IOException e) {
throw e;
} catch (Exception e) {
if (debug != null && Debug.isOn("handshake")) {
System.out.println("KerberosWrapper error getting session key," + " generating random secret (" + e.getMessage() + ")");
}
sessionKey = null;
}
// XXX Read and ignore authenticator
input.getBytes16();
if (sessionKey != null) {
preMaster = new KerberosPreMasterSecret(protocolVersion, clientVersion, rand, input, sessionKey);
} else {
// Generate bogus premaster secret
preMaster = new KerberosPreMasterSecret(clientVersion, rand);
}
}
Also used :
Ticket(sun.security.krb5.internal.Ticket)
KerberosTicket(javax.security.auth.kerberos.KerberosTicket)
KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal)
ServiceCreds(sun.security.jgss.krb5.ServiceCreds)
EncryptionKey(sun.security.krb5.EncryptionKey)
PrincipalName(sun.security.krb5.PrincipalName)
IOException(java.io.IOException)
EncTicketPart(sun.security.krb5.internal.EncTicketPart)
KrbException(sun.security.krb5.KrbException)
PrivilegedActionException(java.security.PrivilegedActionException)
IOException(java.io.IOException)
KerberosKey(javax.security.auth.kerberos.KerberosKey)
KrbException(sun.security.krb5.KrbException)
EncryptedData(sun.security.krb5.EncryptedData)
Example 7 with KerberosKey
use of javax.security.auth.kerberos.KerberosKey in project jdk8u_jdk by JetBrains.
the class KerberosClientKeyExchangeImpl method findKey.
private static KerberosKey findKey(int etype, Integer version, KerberosKey[] keys) throws KrbException {
int ktype;
boolean etypeFound = false;
// When no matched kvno is found, returns tke key of the same
// etype with the highest kvno
int kvno_found = 0;
KerberosKey key_found = null;
for (int i = 0; i < keys.length; i++) {
ktype = keys[i].getKeyType();
if (etype == ktype) {
int kv = keys[i].getVersionNumber();
etypeFound = true;
if (versionMatches(version, kv)) {
return keys[i];
} else if (kv > kvno_found) {
key_found = keys[i];
kvno_found = kv;
}
}
}
// %%% kludge to allow DES keys to be used for diff etypes
if ((etype == EncryptedData.ETYPE_DES_CBC_CRC || etype == EncryptedData.ETYPE_DES_CBC_MD5)) {
for (int i = 0; i < keys.length; i++) {
ktype = keys[i].getKeyType();
if (ktype == EncryptedData.ETYPE_DES_CBC_CRC || ktype == EncryptedData.ETYPE_DES_CBC_MD5) {
int kv = keys[i].getVersionNumber();
etypeFound = true;
if (versionMatches(version, kv)) {
return new KerberosKey(keys[i].getPrincipal(), keys[i].getEncoded(), etype, kv);
} else if (kv > kvno_found) {
key_found = new KerberosKey(keys[i].getPrincipal(), keys[i].getEncoded(), etype, kv);
kvno_found = kv;
}
}
}
}
if (etypeFound) {
return key_found;
}
return null;
}
Also used :
KerberosKey(javax.security.auth.kerberos.KerberosKey)
Example 8 with KerberosKey
use of javax.security.auth.kerberos.KerberosKey in project jdk8u_jdk by JetBrains.
the class KPEquals method main.
public static void main(String[] args) throws Exception {
new OneKDC(null).writeJAASConf();
Context c = Context.fromJAAS("client");
Context s = Context.fromThinAir();
KerberosPrincipal kp = new KerberosPrincipal(OneKDC.SERVER + "@" + OneKDC.REALM, KerberosPrincipal.KRB_NT_SRV_INST);
s.s().getPrincipals().add(kp);
for (KerberosKey k : KeyTab.getInstance(kp).getKeys(kp)) {
s.s().getPrivateCredentials().add(k);
}
c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID);
s.startAsServer(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID);
Context.handshake(c, s);
}
Also used :
KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal)
KerberosKey(javax.security.auth.kerberos.KerberosKey)
Example 9 with KerberosKey
use of javax.security.auth.kerberos.KerberosKey in project jdk8u_jdk by JetBrains.
the class KerberosHashEqualsTest method check.
void check() throws Exception {
// The key part:
// new KerberosKey(principal, bytes, keyType, version)
KerberosKey k1, k2;
KerberosPrincipal CLIENT = new KerberosPrincipal("client");
KerberosPrincipal SERVER = new KerberosPrincipal("server");
byte[] PASS = "pass".getBytes();
k1 = new KerberosKey(CLIENT, PASS, 1, 1);
k2 = new KerberosKey(CLIENT, PASS, 1, 1);
// me is me
checkSame(k1, k1);
// same
checkSame(k1, k2);
// A destroyed key doesn't equal to any key
k2.destroy();
checkNotSame(k1, k2);
checkNotSame(k2, k1);
k1.destroy();
// even if they are both destroyed
checkNotSame(k1, k2);
checkNotSame(k2, k1);
checkSame(k2, k2);
// a little difference means not equal
k1 = new KerberosKey(CLIENT, PASS, 1, 1);
k2 = new KerberosKey(SERVER, PASS, 1, 1);
// Different principal name
checkNotSame(k1, k2);
k2 = new KerberosKey(CLIENT, "ssap".getBytes(), 1, 1);
// Different password
checkNotSame(k1, k2);
k2 = new KerberosKey(CLIENT, PASS, 2, 1);
// Different keytype
checkNotSame(k1, k2);
k2 = new KerberosKey(CLIENT, PASS, 1, 2);
// Different version
checkNotSame(k1, k2);
k2 = new KerberosKey(null, PASS, 1, 2);
// null is not non-null
checkNotSame(k1, k2);
k1 = new KerberosKey(null, PASS, 1, 2);
// null is null
checkSame(k1, k2);
checkNotSame(k1, "Another Object");
// The ticket part:
// new KerberosTicket(asn1 bytes, client, server, session key, type, flags,
// auth, start, end, renewUntil times, address)
KerberosTicket t1, t2;
byte[] ASN1 = "asn1".getBytes();
boolean[] FORWARDABLE = new boolean[] { true, true };
boolean[] ALLTRUE = new boolean[] { true, true, true, true, true, true, true, true, true, true };
Date D0 = new Date(0);
t1 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, FORWARDABLE, D0, D0, D0, D0, null);
t2 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, FORWARDABLE, D0, D0, D0, D0, null);
checkSame(t1, t1);
checkSame(t1, t2);
// destroyed tickets doesn't equal to each other
t1.destroy();
checkNotSame(t1, t2);
checkNotSame(t2, t1);
t2.destroy();
// even if they are both destroyed
checkNotSame(t1, t2);
checkNotSame(t2, t1);
// unless they are the same object
checkSame(t2, t2);
// a little difference means not equal
t1 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, FORWARDABLE, D0, D0, D0, D0, null);
t2 = new KerberosTicket("asn11".getBytes(), CLIENT, SERVER, PASS, 1, FORWARDABLE, D0, D0, D0, D0, null);
// Different ASN1 encoding
checkNotSame(t1, t2);
t2 = new KerberosTicket(ASN1, new KerberosPrincipal("client1"), SERVER, PASS, 1, FORWARDABLE, D0, D0, D0, D0, null);
// Different client
checkNotSame(t1, t2);
t2 = new KerberosTicket(ASN1, CLIENT, new KerberosPrincipal("server1"), PASS, 1, FORWARDABLE, D0, D0, D0, D0, null);
// Different server
checkNotSame(t1, t2);
t2 = new KerberosTicket(ASN1, CLIENT, SERVER, "pass1".getBytes(), 1, FORWARDABLE, D0, D0, D0, D0, null);
// Different session key
checkNotSame(t1, t2);
t2 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 2, FORWARDABLE, D0, D0, D0, D0, null);
// Different key type
checkNotSame(t1, t2);
t2 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, new boolean[] { true, false }, D0, D0, D0, D0, null);
// Different flags, not FORWARDABLE
checkNotSame(t1, t2);
t2 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, FORWARDABLE, new Date(1), D0, D0, D0, null);
// Different authtime
checkNotSame(t1, t2);
t2 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, FORWARDABLE, D0, new Date(1), D0, D0, null);
// Different starttime
checkNotSame(t1, t2);
t2 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, FORWARDABLE, D0, D0, new Date(1), D0, null);
// Different endtime
checkNotSame(t1, t2);
t2 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, FORWARDABLE, D0, D0, D0, D0, new InetAddress[2]);
// Different client addresses
checkNotSame(t1, t2);
t2 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, FORWARDABLE, D0, D0, D0, new Date(1), null);
t1 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, FORWARDABLE, D0, D0, D0, new Date(2), null);
// renewtill is ignored when RENEWABLE ticket flag is not set.
checkSame(t1, t2);
t2 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, ALLTRUE, D0, D0, D0, new Date(1), null);
t1 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, ALLTRUE, D0, D0, D0, new Date(2), null);
// renewtill is used when RENEWABLE is set.
checkNotSame(t1, t2);
checkNotSame(t1, "Another Object");
System.out.println("Good!");
}
Also used :
KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal)
KerberosKey(javax.security.auth.kerberos.KerberosKey)
KerberosTicket(javax.security.auth.kerberos.KerberosTicket)
InetAddress(java.net.InetAddress)
Date(java.util.Date)
Example 10 with KerberosKey
use of javax.security.auth.kerberos.KerberosKey in project jdk8u_jdk by JetBrains.
the class KrbCredSubKey method main.
public static void main(String[] args) throws Exception {
// We don't care about clock difference
new FileOutputStream("krb5.conf").write("[libdefaults]\nclockskew=999999999".getBytes());
System.setProperty("java.security.krb5.conf", "krb5.conf");
Config.refresh();
Subject subj = new Subject();
KerberosPrincipal kp = new KerberosPrincipal(princ);
KerberosKey kk = new KerberosKey(kp, key, EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96, 0);
subj.getPrincipals().add(kp);
subj.getPrivateCredentials().add(kk);
Subject.doAs(subj, new PrivilegedExceptionAction() {
public Object run() throws Exception {
GSSManager man = GSSManager.getInstance();
GSSContext ctxt = man.createContext(man.createCredential(null, GSSCredential.INDEFINITE_LIFETIME, GSSUtil.GSS_KRB5_MECH_OID, GSSCredential.ACCEPT_ONLY));
return ctxt.acceptSecContext(token, 0, token.length);
}
});
}
Also used :
KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal)
KerberosKey(javax.security.auth.kerberos.KerberosKey)
FileOutputStream(java.io.FileOutputStream)
GSSManager(org.ietf.jgss.GSSManager)
GSSContext(org.ietf.jgss.GSSContext)
PrivilegedExceptionAction(java.security.PrivilegedExceptionAction)
Subject(javax.security.auth.Subject)
Aggregations
KerberosKey (javax.security.auth.kerberos.KerberosKey)13
KerberosPrincipal (javax.security.auth.kerberos.KerberosPrincipal)9
KerberosTicket (javax.security.auth.kerberos.KerberosTicket)5
PrivilegedActionException (java.security.PrivilegedActionException)3
Subject (javax.security.auth.Subject)3
KeyTab (javax.security.auth.kerberos.KeyTab)2
GSSException (org.ietf.jgss.GSSException)2
GSSManager (org.ietf.jgss.GSSManager)2
EncryptionKey (sun.security.krb5.EncryptionKey)2
AuthorizationDataEntry (com.sun.security.jgss.AuthorizationDataEntry)1
ExtendedGSSContext (com.sun.security.jgss.ExtendedGSSContext)1
EOFException (java.io.EOFException)1
FileOutputStream (java.io.FileOutputStream)1
IOException (java.io.IOException)1
InvocationTargetException (java.lang.reflect.InvocationTargetException)1
BigInteger (java.math.BigInteger)1
InetAddress (java.net.InetAddress)1
ByteBuffer (java.nio.ByteBuffer)1
Key (java.security.Key)1
Principal (java.security.Principal)1
