Search in sources :

Example 1 with KrbException

use of sun.security.krb5.KrbException in project jdk8u_jdk by JetBrains.

the class DynamicKeytab method go.

void go() throws Exception {
    OneKDC k = new OneKDC(null);
    k.writeJAASConf();
    Files.delete(Paths.get(OneKDC.KTAB));
    // Starts with no keytab
    c = Context.fromJAAS("client");
    s = Context.fromJAAS("com.sun.security.jgss.krb5.accept");
    // Test 1: read new key 1 from keytab
    k.addPrincipal(OneKDC.SERVER, "pass1".toCharArray());
    k.writeKtab(OneKDC.KTAB);
    connect();
    // Test 2: service key cached, find 1 in keytab (now contains 1 and 2)
    k.addPrincipal(OneKDC.SERVER, "pass2".toCharArray());
    k.appendKtab(OneKDC.KTAB);
    connect();
    // Test 3: re-login. Now find 2 in keytab
    c = Context.fromJAAS("client");
    connect();
    // Test 4: re-login, KDC use 3 this time.
    c = Context.fromJAAS("client");
    // Put 3 and 4 into keytab but keep the real key back to 3.
    k.addPrincipal(OneKDC.SERVER, "pass3".toCharArray());
    k.appendKtab(OneKDC.KTAB);
    k.addPrincipal(OneKDC.SERVER, "pass4".toCharArray());
    k.appendKtab(OneKDC.KTAB);
    k.addPrincipal(OneKDC.SERVER, "pass3".toCharArray());
    connect();
    // Test 5: invalid keytab file, should ignore
    try (FileOutputStream fos = new FileOutputStream(OneKDC.KTAB)) {
        fos.write("BADBADBAD".getBytes());
    }
    connect();
    // Test 6: delete keytab file, identical to revoke all
    Files.delete(Paths.get(OneKDC.KTAB));
    try {
        connect();
        throw new Exception("Should not success");
    } catch (GSSException gsse) {
        System.out.println(gsse);
        KrbException ke = (KrbException) gsse.getCause();
        // This should have been Krb5.KRB_AP_ERR_NOKEY
        if (ke.returnCode() != Krb5.API_INVALID_ARG) {
            throw new Exception("Not expected failure code: " + ke.returnCode());
        }
    }
    // Test 7: 3 revoked, should fail (now contains only 5)
    k.addPrincipal(OneKDC.SERVER, "pass5".toCharArray());
    // overwrite keytab, which means
    k.writeKtab(OneKDC.KTAB);
    // old key is revoked
    try {
        connect();
        throw new Exception("Should not success");
    } catch (GSSException gsse) {
        System.out.println(gsse);
    // Since 7197159, different kvno is accepted, this return code
    // will never be thrown out again.
    //KrbException ke = (KrbException)gsse.getCause();
    //if (ke.returnCode() != Krb5.KRB_AP_ERR_BADKEYVER) {
    //    throw new Exception("Not expected failure code: " +
    //            ke.returnCode());
    //}
    }
    // Test 8: an empty KDC means revoke all
    KDC.create("EMPTY.REALM").writeKtab(OneKDC.KTAB);
    try {
        connect();
        throw new Exception("Should not success");
    } catch (GSSException gsse) {
        System.out.println(gsse);
        KrbException ke = (KrbException) gsse.getCause();
        // This should have been Krb5.KRB_AP_ERR_NOKEY
        if (ke.returnCode() != Krb5.API_INVALID_ARG) {
            throw new Exception("Not expected failure code: " + ke.returnCode());
        }
    }
}
Also used : GSSException(org.ietf.jgss.GSSException) KrbException(sun.security.krb5.KrbException) FileOutputStream(java.io.FileOutputStream) GSSException(org.ietf.jgss.GSSException) KrbException(sun.security.krb5.KrbException)

Example 2 with KrbException

use of sun.security.krb5.KrbException in project jdk8u_jdk by JetBrains.

the class KDCOptions method setDefault.

private void setDefault() {
    try {
        Config config = Config.getInstance();
        // If key not present, returns Integer.MIN_VALUE, which is
        // almost all zero.
        int options = config.getIntValue("libdefaults", "kdc_default_options");
        if ((options & KDC_OPT_RENEWABLE_OK) == KDC_OPT_RENEWABLE_OK) {
            set(RENEWABLE_OK, true);
        } else {
            if (config.getBooleanValue("libdefaults", "renewable")) {
                set(RENEWABLE_OK, true);
            }
        }
        if ((options & KDC_OPT_PROXIABLE) == KDC_OPT_PROXIABLE) {
            set(PROXIABLE, true);
        } else {
            if (config.getBooleanValue("libdefaults", "proxiable")) {
                set(PROXIABLE, true);
            }
        }
        if ((options & KDC_OPT_FORWARDABLE) == KDC_OPT_FORWARDABLE) {
            set(FORWARDABLE, true);
        } else {
            if (config.getBooleanValue("libdefaults", "forwardable")) {
                set(FORWARDABLE, true);
            }
        }
    } catch (KrbException e) {
        if (DEBUG) {
            System.out.println("Exception in getting default values for " + "KDC Options from the configuration ");
            e.printStackTrace();
        }
    }
}
Also used : Config(sun.security.krb5.Config) KrbException(sun.security.krb5.KrbException)

Example 3 with KrbException

use of sun.security.krb5.KrbException in project jdk8u_jdk by JetBrains.

the class PAForUserEnc method asn1Encode.

public byte[] asn1Encode() throws Asn1Exception, IOException {
    DerOutputStream bytes = new DerOutputStream();
    bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x00), name.asn1Encode());
    bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x01), name.getRealm().asn1Encode());
    try {
        Checksum cks = new Checksum(Checksum.CKSUMTYPE_HMAC_MD5_ARCFOUR, getS4UByteArray(), key, KeyUsage.KU_PA_FOR_USER_ENC_CKSUM);
        bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x02), cks.asn1Encode());
    } catch (KrbException ke) {
        throw new IOException(ke);
    }
    DerOutputStream temp = new DerOutputStream();
    temp.putDerValue(new KerberosString(AUTH_PACKAGE).toDerValue());
    bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0x03), temp);
    temp = new DerOutputStream();
    temp.write(DerValue.tag_Sequence, bytes);
    return temp.toByteArray();
}
Also used : DerOutputStream(sun.security.util.DerOutputStream) IOException(java.io.IOException) KerberosString(sun.security.krb5.internal.util.KerberosString)

Example 4 with KrbException

use of sun.security.krb5.KrbException in project jdk8u_jdk by JetBrains.

the class KdcComm method sendIfPossible.

// send the AS Request to the specified KDC
// failover to using TCP if useTCP is not set and response is too big
private byte[] sendIfPossible(byte[] obuf, String tempKdc, boolean useTCP) throws IOException, KrbException {
    try {
        byte[] ibuf = send(obuf, tempKdc, useTCP);
        KRBError ke = null;
        try {
            ke = new KRBError(ibuf);
        } catch (Exception e) {
        // OK
        }
        if (ke != null && ke.getErrorCode() == Krb5.KRB_ERR_RESPONSE_TOO_BIG) {
            ibuf = send(obuf, tempKdc, true);
        }
        KdcAccessibility.removeBad(tempKdc);
        return ibuf;
    } catch (Exception e) {
        if (DEBUG) {
            System.out.println(">>> KrbKdcReq send: error trying " + tempKdc);
            e.printStackTrace(System.out);
        }
        KdcAccessibility.addBad(tempKdc);
        throw e;
    }
}
Also used : KRBError(sun.security.krb5.internal.KRBError) PrivilegedActionException(java.security.PrivilegedActionException) IOException(java.io.IOException) SocketTimeoutException(java.net.SocketTimeoutException)

Example 5 with KrbException

use of sun.security.krb5.KrbException in project jdk8u_jdk by JetBrains.

the class Krb5Util method getTicketFromSubjectAndTgs.

/**
     * Retrieve the service ticket for serverPrincipal from caller's Subject
     * or from Subject obtained by logging in, or if not found, via the
     * Ticket Granting Service using the TGT obtained from the Subject.
     *
     * Caller must have permission to:
     *    - access and update Subject's private credentials
     *    - create LoginContext
     *    - read the auth.login.defaultCallbackHandler security property
     *
     * NOTE: This method is used by JSSE Kerberos Cipher Suites
     */
public static KerberosTicket getTicketFromSubjectAndTgs(GSSCaller caller, String clientPrincipal, String serverPrincipal, String tgsPrincipal, AccessControlContext acc) throws LoginException, KrbException, IOException {
    // 1. Try to find service ticket in acc subject
    Subject accSubj = Subject.getSubject(acc);
    KerberosTicket ticket = SubjectComber.find(accSubj, serverPrincipal, clientPrincipal, KerberosTicket.class);
    if (ticket != null) {
        // found it
        return ticket;
    }
    Subject loginSubj = null;
    if (!GSSUtil.useSubjectCredsOnly(caller)) {
        // 2. Try to get ticket from login
        try {
            loginSubj = GSSUtil.login(caller, GSSUtil.GSS_KRB5_MECH_OID);
            ticket = SubjectComber.find(loginSubj, serverPrincipal, clientPrincipal, KerberosTicket.class);
            if (ticket != null) {
                // found it
                return ticket;
            }
        } catch (LoginException e) {
        // No login entry to use
        // ignore and continue
        }
    }
    // Service ticket not found in subject or login
    // Try to get TGT to acquire service ticket
    // 3. Try to get TGT from acc subject
    KerberosTicket tgt = SubjectComber.find(accSubj, tgsPrincipal, clientPrincipal, KerberosTicket.class);
    boolean fromAcc;
    if (tgt == null && loginSubj != null) {
        // 4. Try to get TGT from login subject
        tgt = SubjectComber.find(loginSubj, tgsPrincipal, clientPrincipal, KerberosTicket.class);
        fromAcc = false;
    } else {
        fromAcc = true;
    }
    // 5. Try to get service ticket using TGT
    if (tgt != null) {
        Credentials tgtCreds = ticketToCreds(tgt);
        Credentials serviceCreds = Credentials.acquireServiceCreds(serverPrincipal, tgtCreds);
        if (serviceCreds != null) {
            ticket = credsToTicket(serviceCreds);
            // Store service ticket in acc's Subject
            if (fromAcc && accSubj != null && !accSubj.isReadOnly()) {
                accSubj.getPrivateCredentials().add(ticket);
            }
        }
    }
    return ticket;
}
Also used : KerberosTicket(javax.security.auth.kerberos.KerberosTicket) LoginException(javax.security.auth.login.LoginException) Subject(javax.security.auth.Subject) Credentials(sun.security.krb5.Credentials)

Aggregations

KrbException (sun.security.krb5.KrbException)7 IOException (java.io.IOException)3 PrincipalName (sun.security.krb5.PrincipalName)3 KerberosString (sun.security.krb5.internal.util.KerberosString)3 PrivilegedActionException (java.security.PrivilegedActionException)2 KerberosTicket (javax.security.auth.kerberos.KerberosTicket)2 GSSException (org.ietf.jgss.GSSException)2 Config (sun.security.krb5.Config)2 CredentialsCache (sun.security.krb5.internal.ccache.CredentialsCache)2 KeyTab (sun.security.krb5.internal.ktab.KeyTab)2 AuthTimeWithHash (sun.security.krb5.internal.rcache.AuthTimeWithHash)2 DerOutputStream (sun.security.util.DerOutputStream)2 FileOutputStream (java.io.FileOutputStream)1 InvocationTargetException (java.lang.reflect.InvocationTargetException)1 SocketTimeoutException (java.net.SocketTimeoutException)1 SeekableByteChannel (java.nio.channels.SeekableByteChannel)1 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1 Subject (javax.security.auth.Subject)1 KerberosKey (javax.security.auth.kerberos.KerberosKey)1 KerberosPrincipal (javax.security.auth.kerberos.KerberosPrincipal)1