Examples with EncryptionKey sun.security.krb5.EncryptionKey used on opensource projects

Example 1 with EncryptionKey

use of sun.security.krb5.EncryptionKey in project jdk8u_jdk by JetBrains.

the class KerberosClientKeyExchangeImpl method init.

/**
     * Creates an instance of KerberosClientKeyExchange consisting of the
     * Kerberos service ticket, authenticator and encrypted premaster secret.
     * Called by client handshaker.
     *
     * @param serverName name of server with which to do handshake;
     *             this is used to get the Kerberos service ticket
     * @param protocolVersion Maximum version supported by client (i.e,
     *          version it requested in client hello)
     * @param rand random number generator to use for generating pre-master
     *          secret
     */
@Override
public void init(String serverName, AccessControlContext acc, ProtocolVersion protocolVersion, SecureRandom rand) throws IOException {
    // Get service ticket
    KerberosTicket ticket = getServiceTicket(serverName, acc);
    encodedTicket = ticket.getEncoded();
    // Record the Kerberos principals
    peerPrincipal = ticket.getServer();
    localPrincipal = ticket.getClient();
    // Optional authenticator, encrypted using session key,
    // currently ignored
    // Generate premaster secret and encrypt it using session key
    EncryptionKey sessionKey = new EncryptionKey(ticket.getSessionKeyType(), ticket.getSessionKey().getEncoded());
    preMaster = new KerberosPreMasterSecret(protocolVersion, rand, sessionKey);
}

Example 2 with EncryptionKey

use of sun.security.krb5.EncryptionKey in project jdk8u_jdk by JetBrains.

the class ServiceCreds method getEKeys.

/**
     * Gets EKeys for a principal.
     * @param princ the target name initiator requests. Not null.
     * @return keys for the princ, never null, might be empty
     */
public EncryptionKey[] getEKeys(PrincipalName princ) {
    if (destroyed) {
        throw new IllegalStateException("This object is destroyed");
    }
    KerberosKey[] kkeys = getKKeys(new KerberosPrincipal(princ.getName()));
    if (kkeys.length == 0) {
        // Fallback: old JDK does not perform real name checking. If the
        // acceptor has host.sun.com but initiator requests for host,
        // as long as their keys match (i.e. keys for one can decrypt
        // the other's service ticket), the authentication is OK.
        // There are real customers depending on this to use different
        // names for a single service.
        kkeys = getKKeys();
    }
    EncryptionKey[] ekeys = new EncryptionKey[kkeys.length];
    for (int i = 0; i < ekeys.length; i++) {
        ekeys[i] = new EncryptionKey(kkeys[i].getEncoded(), kkeys[i].getKeyType(), new Integer(kkeys[i].getVersionNumber()));
    }
    return ekeys;
}

Example 3 with EncryptionKey

use of sun.security.krb5.EncryptionKey in project jdk8u_jdk by JetBrains.

the class KeyImpl method readObject.

private void readObject(ObjectInputStream ois) throws IOException, ClassNotFoundException {
    try {
        EncryptionKey encKey = new EncryptionKey(new DerValue((byte[]) ois.readObject()));
        keyType = encKey.getEType();
        keyBytes = encKey.getBytes();
    } catch (Asn1Exception ae) {
        throw new IOException(ae.getMessage());
    }
}

Example 4 with EncryptionKey

use of sun.security.krb5.EncryptionKey in project jdk8u_jdk by JetBrains.

the class KeyTab method getKeys.

/**
     * Returns fresh keys for the given Kerberos principal.
     * <p>
     * Implementation of this method should make sure the returned keys match
     * the latest content of the keytab file. The result is a newly created
     * copy that can be modified by the caller without modifying the keytab
     * object. The caller should {@link KerberosKey#destroy() destroy} the
     * result keys after they are used.
     * <p>
     * Please note that the keytab file can be created after the
     * {@code KeyTab} object is instantiated and its content may change over
     * time. Therefore, an application should call this method only when it
     * needs to use the keys. Any previous result from an earlier invocation
     * could potentially be expired.
     * <p>
     * If there is any error (say, I/O error or format error)
     * during the reading process of the KeyTab file, a saved result should be
     * returned. If there is no saved result (say, this is the first time this
     * method is called, or, all previous read attempts failed), an empty array
     * should be returned. This can make sure the result is not drastically
     * changed during the (probably slow) update of the keytab file.
     * <p>
     * Each time this method is called and the reading of the file succeeds
     * with no exception (say, I/O error or file format error),
     * the result should be saved for {@code principal}. The implementation can
     * also save keys for other principals having keys in the same keytab object
     * if convenient.
     * <p>
     * Any unsupported key read from the keytab is ignored and not included
     * in the result.
     * <p>
     * If this keytab is bound to a specific principal, calling this method on
     * another principal will return an empty array.
     *
     * @param principal the Kerberos principal, must not be null.
     * @return the keys (never null, may be empty)
     * @throws NullPointerException if the {@code principal}
     * argument is null
     * @throws SecurityException if a security manager exists and the read
     * access to the keytab file is not permitted
     */
public KerberosKey[] getKeys(KerberosPrincipal principal) {
    try {
        if (princ != null && !principal.equals(princ)) {
            return new KerberosKey[0];
        }
        PrincipalName pn = new PrincipalName(principal.getName());
        EncryptionKey[] keys = takeSnapshot().readServiceKeys(pn);
        KerberosKey[] kks = new KerberosKey[keys.length];
        for (int i = 0; i < kks.length; i++) {
            Integer tmp = keys[i].getKeyVersionNumber();
            kks[i] = new KerberosKey(principal, keys[i].getBytes(), keys[i].getEType(), tmp == null ? 0 : tmp.intValue());
            keys[i].destroy();
        }
        return kks;
    } catch (RealmException re) {
        return new KerberosKey[0];
    }
}

Example 5 with EncryptionKey

use of sun.security.krb5.EncryptionKey in project jdk8u_jdk by JetBrains.

the class KrbApReq method authenticate.

private void authenticate(Krb5AcceptCredential cred, InetAddress initiator) throws KrbException, IOException {
    int encPartKeyType = apReqMessg.ticket.encPart.getEType();
    Integer kvno = apReqMessg.ticket.encPart.getKeyVersionNumber();
    EncryptionKey[] keys = cred.getKrb5EncryptionKeys(apReqMessg.ticket.sname);
    EncryptionKey dkey = EncryptionKey.findKey(encPartKeyType, kvno, keys);
    if (dkey == null) {
        throw new KrbException(Krb5.API_INVALID_ARG, "Cannot find key of appropriate type to decrypt AP REP - " + EType.toString(encPartKeyType));
    }
    byte[] bytes = apReqMessg.ticket.encPart.decrypt(dkey, KeyUsage.KU_TICKET);
    byte[] temp = apReqMessg.ticket.encPart.reset(bytes);
    EncTicketPart enc_ticketPart = new EncTicketPart(temp);
    checkPermittedEType(enc_ticketPart.key.getEType());
    byte[] bytes2 = apReqMessg.authenticator.decrypt(enc_ticketPart.key, KeyUsage.KU_AP_REQ_AUTHENTICATOR);
    byte[] temp2 = apReqMessg.authenticator.reset(bytes2);
    authenticator = new Authenticator(temp2);
    ctime = authenticator.ctime;
    cusec = authenticator.cusec;
    authenticator.ctime = authenticator.ctime.withMicroSeconds(authenticator.cusec);
    if (!authenticator.cname.equals(enc_ticketPart.cname)) {
        throw new KrbApErrException(Krb5.KRB_AP_ERR_BADMATCH);
    }
    if (!authenticator.ctime.inClockSkew())
        throw new KrbApErrException(Krb5.KRB_AP_ERR_SKEW);
    byte[] hash;
    try {
        hash = MessageDigest.getInstance("MD5").digest(apReqMessg.authenticator.cipher);
    } catch (NoSuchAlgorithmException ex) {
        throw new AssertionError("Impossible");
    }
    char[] h = new char[hash.length * 2];
    for (int i = 0; i < hash.length; i++) {
        h[2 * i] = hexConst[(hash[i] & 0xff) >> 4];
        h[2 * i + 1] = hexConst[hash[i] & 0xf];
    }
    AuthTimeWithHash time = new AuthTimeWithHash(authenticator.cname.toString(), apReqMessg.ticket.sname.toString(), authenticator.ctime.getSeconds(), authenticator.cusec, new String(h));
    rcache.checkAndStore(KerberosTime.now(), time);
    if (initiator != null) {
        // sender host address
        HostAddress sender = new HostAddress(initiator);
        if (enc_ticketPart.caddr != null && !enc_ticketPart.caddr.inList(sender)) {
            if (DEBUG) {
                System.out.println(">>> KrbApReq: initiator is " + sender.getInetAddress() + ", but caddr is " + Arrays.toString(enc_ticketPart.caddr.getInetAddresses()));
            }
            throw new KrbApErrException(Krb5.KRB_AP_ERR_BADADDR);
        }
    }
    // XXX check for repeated authenticator
    // if found
    //    throw new KrbApErrException(Krb5.KRB_AP_ERR_REPEAT);
    // else
    //    save authenticator to check for later
    KerberosTime now = KerberosTime.now();
    if ((enc_ticketPart.starttime != null && enc_ticketPart.starttime.greaterThanWRTClockSkew(now)) || enc_ticketPart.flags.get(Krb5.TKT_OPTS_INVALID))
        throw new KrbApErrException(Krb5.KRB_AP_ERR_TKT_NYV);
    // than the allowable clock skew, throws ticket expired exception.
    if (enc_ticketPart.endtime != null && now.greaterThanWRTClockSkew(enc_ticketPart.endtime)) {
        throw new KrbApErrException(Krb5.KRB_AP_ERR_TKT_EXPIRED);
    }
    creds = new Credentials(apReqMessg.ticket, authenticator.cname, apReqMessg.ticket.sname, enc_ticketPart.key, enc_ticketPart.flags, enc_ticketPart.authtime, enc_ticketPart.starttime, enc_ticketPart.endtime, enc_ticketPart.renewTill, enc_ticketPart.caddr, enc_ticketPart.authorizationData);
    if (DEBUG) {
        System.out.println(">>> KrbApReq: authenticate succeed.");
    }
}