Example 1 with KrbException
use of sun.security.krb5.KrbException in project jdk8u_jdk by JetBrains.
the class DynamicKeytab method go.
void go() throws Exception {
OneKDC k = new OneKDC(null);
k.writeJAASConf();
Files.delete(Paths.get(OneKDC.KTAB));
// Starts with no keytab
c = Context.fromJAAS("client");
s = Context.fromJAAS("com.sun.security.jgss.krb5.accept");
// Test 1: read new key 1 from keytab
k.addPrincipal(OneKDC.SERVER, "pass1".toCharArray());
k.writeKtab(OneKDC.KTAB);
connect();
// Test 2: service key cached, find 1 in keytab (now contains 1 and 2)
k.addPrincipal(OneKDC.SERVER, "pass2".toCharArray());
k.appendKtab(OneKDC.KTAB);
connect();
// Test 3: re-login. Now find 2 in keytab
c = Context.fromJAAS("client");
connect();
// Test 4: re-login, KDC use 3 this time.
c = Context.fromJAAS("client");
// Put 3 and 4 into keytab but keep the real key back to 3.
k.addPrincipal(OneKDC.SERVER, "pass3".toCharArray());
k.appendKtab(OneKDC.KTAB);
k.addPrincipal(OneKDC.SERVER, "pass4".toCharArray());
k.appendKtab(OneKDC.KTAB);
k.addPrincipal(OneKDC.SERVER, "pass3".toCharArray());
connect();
// Test 5: invalid keytab file, should ignore
try (FileOutputStream fos = new FileOutputStream(OneKDC.KTAB)) {
fos.write("BADBADBAD".getBytes());
}
connect();
// Test 6: delete keytab file, identical to revoke all
Files.delete(Paths.get(OneKDC.KTAB));
try {
connect();
throw new Exception("Should not success");
} catch (GSSException gsse) {
System.out.println(gsse);
KrbException ke = (KrbException) gsse.getCause();
// This should have been Krb5.KRB_AP_ERR_NOKEY
if (ke.returnCode() != Krb5.API_INVALID_ARG) {
throw new Exception("Not expected failure code: " + ke.returnCode());
}
}
// Test 7: 3 revoked, should fail (now contains only 5)
k.addPrincipal(OneKDC.SERVER, "pass5".toCharArray());
// overwrite keytab, which means
k.writeKtab(OneKDC.KTAB);
// old key is revoked
try {
connect();
throw new Exception("Should not success");
} catch (GSSException gsse) {
System.out.println(gsse);
// Since 7197159, different kvno is accepted, this return code
// will never be thrown out again.
//KrbException ke = (KrbException)gsse.getCause();
//if (ke.returnCode() != Krb5.KRB_AP_ERR_BADKEYVER) {
// throw new Exception("Not expected failure code: " +
// ke.returnCode());
//}
}
// Test 8: an empty KDC means revoke all
KDC.create("EMPTY.REALM").writeKtab(OneKDC.KTAB);
try {
connect();
throw new Exception("Should not success");
} catch (GSSException gsse) {
System.out.println(gsse);
KrbException ke = (KrbException) gsse.getCause();
// This should have been Krb5.KRB_AP_ERR_NOKEY
if (ke.returnCode() != Krb5.API_INVALID_ARG) {
throw new Exception("Not expected failure code: " + ke.returnCode());
}
}
}
Also used :
GSSException(org.ietf.jgss.GSSException)
KrbException(sun.security.krb5.KrbException)
FileOutputStream(java.io.FileOutputStream)
GSSException(org.ietf.jgss.GSSException)
KrbException(sun.security.krb5.KrbException)
Example 2 with KrbException
use of sun.security.krb5.KrbException in project jdk8u_jdk by JetBrains.
the class KDCOptions method setDefault.
private void setDefault() {
try {
Config config = Config.getInstance();
// If key not present, returns Integer.MIN_VALUE, which is
// almost all zero.
int options = config.getIntValue("libdefaults", "kdc_default_options");
if ((options & KDC_OPT_RENEWABLE_OK) == KDC_OPT_RENEWABLE_OK) {
set(RENEWABLE_OK, true);
} else {
if (config.getBooleanValue("libdefaults", "renewable")) {
set(RENEWABLE_OK, true);
}
}
if ((options & KDC_OPT_PROXIABLE) == KDC_OPT_PROXIABLE) {
set(PROXIABLE, true);
} else {
if (config.getBooleanValue("libdefaults", "proxiable")) {
set(PROXIABLE, true);
}
}
if ((options & KDC_OPT_FORWARDABLE) == KDC_OPT_FORWARDABLE) {
set(FORWARDABLE, true);
} else {
if (config.getBooleanValue("libdefaults", "forwardable")) {
set(FORWARDABLE, true);
}
}
} catch (KrbException e) {
if (DEBUG) {
System.out.println("Exception in getting default values for " + "KDC Options from the configuration ");
e.printStackTrace();
}
}
}
Also used :
Config(sun.security.krb5.Config)
KrbException(sun.security.krb5.KrbException)
Example 3 with KrbException
use of sun.security.krb5.KrbException in project jdk8u_jdk by JetBrains.
the class PAForUserEnc method asn1Encode.
public byte[] asn1Encode() throws Asn1Exception, IOException {
DerOutputStream bytes = new DerOutputStream();
bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x00), name.asn1Encode());
bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x01), name.getRealm().asn1Encode());
try {
Checksum cks = new Checksum(Checksum.CKSUMTYPE_HMAC_MD5_ARCFOUR, getS4UByteArray(), key, KeyUsage.KU_PA_FOR_USER_ENC_CKSUM);
bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x02), cks.asn1Encode());
} catch (KrbException ke) {
throw new IOException(ke);
}
DerOutputStream temp = new DerOutputStream();
temp.putDerValue(new KerberosString(AUTH_PACKAGE).toDerValue());
bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x03), temp);
temp = new DerOutputStream();
temp.write(DerValue.tag_Sequence, bytes);
return temp.toByteArray();
}
Also used :
DerOutputStream(sun.security.util.DerOutputStream)
IOException(java.io.IOException)
KerberosString(sun.security.krb5.internal.util.KerberosString)
Example 4 with KrbException
use of sun.security.krb5.KrbException in project jdk8u_jdk by JetBrains.
the class KdcComm method sendIfPossible.
// send the AS Request to the specified KDC
// failover to using TCP if useTCP is not set and response is too big
private byte[] sendIfPossible(byte[] obuf, String tempKdc, boolean useTCP) throws IOException, KrbException {
try {
byte[] ibuf = send(obuf, tempKdc, useTCP);
KRBError ke = null;
try {
ke = new KRBError(ibuf);
} catch (Exception e) {
// OK
}
if (ke != null && ke.getErrorCode() == Krb5.KRB_ERR_RESPONSE_TOO_BIG) {
ibuf = send(obuf, tempKdc, true);
}
KdcAccessibility.removeBad(tempKdc);
return ibuf;
} catch (Exception e) {
if (DEBUG) {
System.out.println(">>> KrbKdcReq send: error trying " + tempKdc);
e.printStackTrace(System.out);
}
KdcAccessibility.addBad(tempKdc);
throw e;
}
}
Also used :
KRBError(sun.security.krb5.internal.KRBError)
PrivilegedActionException(java.security.PrivilegedActionException)
IOException(java.io.IOException)
SocketTimeoutException(java.net.SocketTimeoutException)
Example 5 with KrbException
use of sun.security.krb5.KrbException in project jdk8u_jdk by JetBrains.
the class Krb5Util method getTicketFromSubjectAndTgs.
/**
* Retrieve the service ticket for serverPrincipal from caller's Subject
* or from Subject obtained by logging in, or if not found, via the
* Ticket Granting Service using the TGT obtained from the Subject.
*
* Caller must have permission to:
* - access and update Subject's private credentials
* - create LoginContext
* - read the auth.login.defaultCallbackHandler security property
*
* NOTE: This method is used by JSSE Kerberos Cipher Suites
*/
public static KerberosTicket getTicketFromSubjectAndTgs(GSSCaller caller, String clientPrincipal, String serverPrincipal, String tgsPrincipal, AccessControlContext acc) throws LoginException, KrbException, IOException {
// 1. Try to find service ticket in acc subject
Subject accSubj = Subject.getSubject(acc);
KerberosTicket ticket = SubjectComber.find(accSubj, serverPrincipal, clientPrincipal, KerberosTicket.class);
if (ticket != null) {
// found it
return ticket;
}
Subject loginSubj = null;
if (!GSSUtil.useSubjectCredsOnly(caller)) {
// 2. Try to get ticket from login
try {
loginSubj = GSSUtil.login(caller, GSSUtil.GSS_KRB5_MECH_OID);
ticket = SubjectComber.find(loginSubj, serverPrincipal, clientPrincipal, KerberosTicket.class);
if (ticket != null) {
// found it
return ticket;
}
} catch (LoginException e) {
// No login entry to use
// ignore and continue
}
}
// Service ticket not found in subject or login
// Try to get TGT to acquire service ticket
// 3. Try to get TGT from acc subject
KerberosTicket tgt = SubjectComber.find(accSubj, tgsPrincipal, clientPrincipal, KerberosTicket.class);
boolean fromAcc;
if (tgt == null && loginSubj != null) {
// 4. Try to get TGT from login subject
tgt = SubjectComber.find(loginSubj, tgsPrincipal, clientPrincipal, KerberosTicket.class);
fromAcc = false;
} else {
fromAcc = true;
}
// 5. Try to get service ticket using TGT
if (tgt != null) {
Credentials tgtCreds = ticketToCreds(tgt);
Credentials serviceCreds = Credentials.acquireServiceCreds(serverPrincipal, tgtCreds);
if (serviceCreds != null) {
ticket = credsToTicket(serviceCreds);
// Store service ticket in acc's Subject
if (fromAcc && accSubj != null && !accSubj.isReadOnly()) {
accSubj.getPrivateCredentials().add(ticket);
}
}
}
return ticket;
}
Also used :
KerberosTicket(javax.security.auth.kerberos.KerberosTicket)
LoginException(javax.security.auth.login.LoginException)
Subject(javax.security.auth.Subject)
Credentials(sun.security.krb5.Credentials)
Aggregations
KrbException (sun.security.krb5.KrbException)7
IOException (java.io.IOException)3
PrincipalName (sun.security.krb5.PrincipalName)3
KerberosString (sun.security.krb5.internal.util.KerberosString)3
PrivilegedActionException (java.security.PrivilegedActionException)2
KerberosTicket (javax.security.auth.kerberos.KerberosTicket)2
GSSException (org.ietf.jgss.GSSException)2
Config (sun.security.krb5.Config)2
CredentialsCache (sun.security.krb5.internal.ccache.CredentialsCache)2
KeyTab (sun.security.krb5.internal.ktab.KeyTab)2
AuthTimeWithHash (sun.security.krb5.internal.rcache.AuthTimeWithHash)2
DerOutputStream (sun.security.util.DerOutputStream)2
FileOutputStream (java.io.FileOutputStream)1
InvocationTargetException (java.lang.reflect.InvocationTargetException)1
SocketTimeoutException (java.net.SocketTimeoutException)1
SeekableByteChannel (java.nio.channels.SeekableByteChannel)1
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1
Subject (javax.security.auth.Subject)1
KerberosKey (javax.security.auth.kerberos.KerberosKey)1
KerberosPrincipal (javax.security.auth.kerberos.KerberosPrincipal)1
