Example 16 with PrincipalName
use of sun.security.krb5.PrincipalName in project jdk8u_jdk by JetBrains.
the class KDC method processAsReq.
/**
* Processes a AS_REQ and generates a AS_REP (or KRB_ERROR)
* @param in the request
* @return the response
* @throws java.lang.Exception for various errors
*/
protected byte[] processAsReq(byte[] in) throws Exception {
ASReq asReq = new ASReq(in);
int[] eTypes = null;
List<PAData> outPAs = new ArrayList<>();
PrincipalName service = asReq.reqBody.sname;
if (options.containsKey(KDC.Option.RESP_NT)) {
service = new PrincipalName((int) options.get(KDC.Option.RESP_NT), service.getNameStrings(), Realm.getDefault());
}
try {
System.out.println(realm + "> " + asReq.reqBody.cname + " sends AS-REQ for " + service + ", " + asReq.reqBody.kdcOptions);
KDCReqBody body = asReq.reqBody;
eTypes = KDCReqBodyDotEType(body);
int eType = eTypes[0];
EncryptionKey ckey = keyForUser(body.cname, eType, false);
EncryptionKey skey = keyForUser(service, eType, true);
if (options.containsKey(KDC.Option.ONLY_RC4_TGT)) {
int tgtEType = EncryptedData.ETYPE_ARCFOUR_HMAC;
boolean found = false;
for (int i = 0; i < eTypes.length; i++) {
if (eTypes[i] == tgtEType) {
found = true;
break;
}
}
if (!found) {
throw new KrbException(Krb5.KDC_ERR_ETYPE_NOSUPP);
}
skey = keyForUser(service, tgtEType, true);
}
if (ckey == null) {
throw new KrbException(Krb5.KDC_ERR_ETYPE_NOSUPP);
}
if (skey == null) {
// TODO
throw new KrbException(Krb5.KDC_ERR_SUMTYPE_NOSUPP);
}
// Session key
EncryptionKey key = generateRandomKey(eType);
// Check time, TODO
KerberosTime till = body.till;
if (till == null) {
// TODO
throw new KrbException(Krb5.KDC_ERR_NEVER_VALID);
} else if (till.isZero()) {
till = new KerberosTime(new Date().getTime() + 1000 * 3600 * 11);
}
//body.from
boolean[] bFlags = new boolean[Krb5.TKT_OPTS_MAX + 1];
if (body.kdcOptions.get(KDCOptions.FORWARDABLE)) {
List<String> sensitives = (List<String>) options.get(Option.SENSITIVE_ACCOUNTS);
if (sensitives != null && sensitives.contains(body.cname.toString())) {
// Cannot make FORWARDABLE
} else {
bFlags[Krb5.TKT_OPTS_FORWARDABLE] = true;
}
}
if (body.kdcOptions.get(KDCOptions.RENEWABLE)) {
bFlags[Krb5.TKT_OPTS_RENEWABLE] = true;
//renew = new KerberosTime(new Date().getTime() + 1000 * 3600 * 24 * 7);
}
if (body.kdcOptions.get(KDCOptions.PROXIABLE)) {
bFlags[Krb5.TKT_OPTS_PROXIABLE] = true;
}
if (body.kdcOptions.get(KDCOptions.POSTDATED)) {
bFlags[Krb5.TKT_OPTS_POSTDATED] = true;
}
if (body.kdcOptions.get(KDCOptions.ALLOW_POSTDATE)) {
bFlags[Krb5.TKT_OPTS_MAY_POSTDATE] = true;
}
bFlags[Krb5.TKT_OPTS_INITIAL] = true;
// Creating PA-DATA
DerValue[] pas2 = null, pas = null;
if (options.containsKey(KDC.Option.DUP_ETYPE)) {
int n = (Integer) options.get(KDC.Option.DUP_ETYPE);
switch(n) {
case // customer's case in 7067974
1:
pas2 = new DerValue[] { new DerValue(new ETypeInfo2(1, null, null).asn1Encode()), new DerValue(new ETypeInfo2(1, "", null).asn1Encode()), new DerValue(new ETypeInfo2(1, realm, new byte[] { 1 }).asn1Encode()) };
pas = new DerValue[] { new DerValue(new ETypeInfo(1, null).asn1Encode()), new DerValue(new ETypeInfo(1, "").asn1Encode()), new DerValue(new ETypeInfo(1, realm).asn1Encode()) };
break;
case // we still reject non-null s2kparams and prefer E2 over E
2:
pas2 = new DerValue[] { new DerValue(new ETypeInfo2(1, realm, new byte[] { 1 }).asn1Encode()), new DerValue(new ETypeInfo2(1, null, null).asn1Encode()), new DerValue(new ETypeInfo2(1, "", null).asn1Encode()) };
pas = new DerValue[] { new DerValue(new ETypeInfo(1, realm).asn1Encode()), new DerValue(new ETypeInfo(1, null).asn1Encode()), new DerValue(new ETypeInfo(1, "").asn1Encode()) };
break;
case // but only E is wrong
3:
pas = new DerValue[] { new DerValue(new ETypeInfo(1, realm).asn1Encode()), new DerValue(new ETypeInfo(1, null).asn1Encode()), new DerValue(new ETypeInfo(1, "").asn1Encode()) };
break;
case // we also ignore rc4-hmac
4:
pas = new DerValue[] { new DerValue(new ETypeInfo(23, "ANYTHING").asn1Encode()), new DerValue(new ETypeInfo(1, null).asn1Encode()), new DerValue(new ETypeInfo(1, "").asn1Encode()) };
break;
case // "" should be wrong, but we accept it now
5:
// See s.s.k.internal.PAData$SaltAndParams
pas = new DerValue[] { new DerValue(new ETypeInfo(1, "").asn1Encode()), new DerValue(new ETypeInfo(1, null).asn1Encode()) };
break;
}
} else {
int[] epas = eTypes;
if (options.containsKey(KDC.Option.RC4_FIRST_PREAUTH)) {
for (int i = 1; i < epas.length; i++) {
if (epas[i] == EncryptedData.ETYPE_ARCFOUR_HMAC) {
epas[i] = epas[0];
epas[0] = EncryptedData.ETYPE_ARCFOUR_HMAC;
break;
}
}
;
} else if (options.containsKey(KDC.Option.ONLY_ONE_PREAUTH)) {
epas = new int[] { eTypes[0] };
}
pas2 = new DerValue[epas.length];
for (int i = 0; i < epas.length; i++) {
pas2[i] = new DerValue(new ETypeInfo2(epas[i], epas[i] == EncryptedData.ETYPE_ARCFOUR_HMAC ? null : getSalt(body.cname), null).asn1Encode());
}
boolean allOld = true;
for (int i : eTypes) {
if (i == EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96 || i == EncryptedData.ETYPE_AES256_CTS_HMAC_SHA1_96) {
allOld = false;
break;
}
}
if (allOld) {
pas = new DerValue[epas.length];
for (int i = 0; i < epas.length; i++) {
pas[i] = new DerValue(new ETypeInfo(epas[i], epas[i] == EncryptedData.ETYPE_ARCFOUR_HMAC ? null : getSalt(body.cname)).asn1Encode());
}
}
}
DerOutputStream eid;
if (pas2 != null) {
eid = new DerOutputStream();
eid.putSequence(pas2);
outPAs.add(new PAData(Krb5.PA_ETYPE_INFO2, eid.toByteArray()));
}
if (pas != null) {
eid = new DerOutputStream();
eid.putSequence(pas);
outPAs.add(new PAData(Krb5.PA_ETYPE_INFO, eid.toByteArray()));
}
PAData[] inPAs = KDCReqDotPAData(asReq);
if (inPAs == null || inPAs.length == 0) {
Object preauth = options.get(Option.PREAUTH_REQUIRED);
if (preauth == null || preauth.equals(Boolean.TRUE)) {
throw new KrbException(Krb5.KDC_ERR_PREAUTH_REQUIRED);
}
} else {
try {
EncryptedData data = newEncryptedData(new DerValue(inPAs[0].getValue()));
EncryptionKey pakey = keyForUser(body.cname, data.getEType(), false);
data.decrypt(pakey, KeyUsage.KU_PA_ENC_TS);
} catch (Exception e) {
throw new KrbException(Krb5.KDC_ERR_PREAUTH_FAILED);
}
bFlags[Krb5.TKT_OPTS_PRE_AUTHENT] = true;
}
TicketFlags tFlags = new TicketFlags(bFlags);
EncTicketPart enc = new EncTicketPart(tFlags, key, body.cname, new TransitedEncoding(1, new byte[0]), new KerberosTime(new Date()), body.from, till, body.rtime, body.addresses, null);
Ticket t = new Ticket(service, new EncryptedData(skey, enc.asn1Encode(), KeyUsage.KU_TICKET));
EncASRepPart enc_part = new EncASRepPart(key, new LastReq(new LastReqEntry[] { new LastReqEntry(0, new KerberosTime(new Date().getTime() - 10000)) }), // TODO: detect replay?
body.getNonce(), new KerberosTime(new Date().getTime() + 1000 * 3600 * 24), // Next 5 and last MUST be same with ticket
tFlags, new KerberosTime(new Date()), body.from, till, body.rtime, service, body.addresses);
EncryptedData edata = new EncryptedData(ckey, enc_part.asn1Encode(), KeyUsage.KU_ENC_AS_REP_PART);
ASRep asRep = new ASRep(outPAs.toArray(new PAData[outPAs.size()]), body.cname, t, edata);
System.out.println(" Return " + asRep.cname + " ticket for " + asRep.ticket.sname + ", flags " + tFlags);
DerOutputStream out = new DerOutputStream();
out.write(DerValue.createTag(DerValue.TAG_APPLICATION, true, (byte) Krb5.KRB_AS_REP), asRep.asn1Encode());
byte[] result = out.toByteArray();
// Added feature:
// Write the current issuing TGT into a ccache file specified
// by the system property below.
String ccache = System.getProperty("test.kdc.save.ccache");
if (ccache != null) {
asRep.encKDCRepPart = enc_part;
sun.security.krb5.internal.ccache.Credentials credentials = new sun.security.krb5.internal.ccache.Credentials(asRep);
CredentialsCache cache = CredentialsCache.create(asReq.reqBody.cname, ccache);
if (cache == null) {
throw new IOException("Unable to create the cache file " + ccache);
}
cache.update(credentials);
cache.save();
}
return result;
} catch (KrbException ke) {
ke.printStackTrace(System.out);
KRBError kerr = ke.getError();
KDCReqBody body = asReq.reqBody;
System.out.println(" Error " + ke.returnCode() + " " + ke.returnCodeMessage());
byte[] eData = null;
if (kerr == null) {
if (ke.returnCode() == Krb5.KDC_ERR_PREAUTH_REQUIRED || ke.returnCode() == Krb5.KDC_ERR_PREAUTH_FAILED) {
DerOutputStream bytes = new DerOutputStream();
bytes.write(new PAData(Krb5.PA_ENC_TIMESTAMP, new byte[0]).asn1Encode());
for (PAData p : outPAs) {
bytes.write(p.asn1Encode());
}
DerOutputStream temp = new DerOutputStream();
temp.write(DerValue.tag_Sequence, bytes);
eData = temp.toByteArray();
}
kerr = new KRBError(null, null, null, new KerberosTime(new Date()), 0, ke.returnCode(), body.cname, service, KrbException.errorMessage(ke.returnCode()), eData);
}
return kerr.asn1Encode();
}
}
Also used :
sun.security.krb5.internal(sun.security.krb5.internal)
sun.security.krb5(sun.security.krb5)
DerOutputStream(sun.security.util.DerOutputStream)
CredentialsCache(sun.security.krb5.internal.ccache.CredentialsCache)
DerValue(sun.security.util.DerValue)
InvocationTargetException(java.lang.reflect.InvocationTargetException)
Example 17 with PrincipalName
use of sun.security.krb5.PrincipalName in project jdk8u_jdk by JetBrains.
the class MoreKvno method main.
public static void main(String[] args) throws Exception {
OneKDC kdc = new OneKDC(null);
kdc.writeJAASConf();
// Rewrite keytab, 3 set of keys with different kvno
KeyTab ktab = KeyTab.create(OneKDC.KTAB);
p = new PrincipalName(OneKDC.SERVER + "@" + OneKDC.REALM, PrincipalName.KRB_NT_SRV_HST);
ktab.addEntry(p, "pass1".toCharArray(), 1, true);
ktab.addEntry(p, "pass3".toCharArray(), 3, true);
ktab.addEntry(p, "pass2".toCharArray(), 2, true);
ktab.save();
char[] pass = "pass2".toCharArray();
kdc.addPrincipal(OneKDC.SERVER, pass);
go(OneKDC.SERVER, "com.sun.security.jgss.krb5.accept", pass);
pass = "pass3".toCharArray();
kdc.addPrincipal(OneKDC.SERVER, pass);
// "server" initiate also, check pass2 is used at authentication
go(OneKDC.SERVER, "server", pass);
try {
pass = "pass4".toCharArray();
kdc.addPrincipal(OneKDC.SERVER, pass);
go(OneKDC.SERVER, "com.sun.security.jgss.krb5.accept", pass);
throw new Exception("This test should fail");
} catch (GSSException gsse) {
// Since 7197159, different kvno is accepted, this return code
// will never be thrown out again.
//KrbException ke = (KrbException)gsse.getCause();
//if (ke.returnCode() != Krb5.KRB_AP_ERR_BADKEYVER) {
// throw new Exception("Not expected failure code: " +
// ke.returnCode());
//}
}
}
Also used :
GSSException(org.ietf.jgss.GSSException)
KeyTab(sun.security.krb5.internal.ktab.KeyTab)
PrincipalName(sun.security.krb5.PrincipalName)
GSSException(org.ietf.jgss.GSSException)
KrbException(sun.security.krb5.KrbException)
Example 18 with PrincipalName
use of sun.security.krb5.PrincipalName in project jdk8u_jdk by JetBrains.
the class W83 method main.
public static void main(String[] args) throws Exception {
W83 x = new W83();
// Cannot use OneKDC. kinit command cannot resolve
// hostname kdc.rabbit.hole
KDC kdc = new KDC(OneKDC.REALM, "127.0.0.1", 0, true);
kdc.addPrincipal(OneKDC.USER, OneKDC.PASS);
kdc.addPrincipalRandKey("krbtgt/" + OneKDC.REALM);
KDC.saveConfig(OneKDC.KRB5_CONF, kdc);
System.setProperty("java.security.krb5.conf", OneKDC.KRB5_CONF);
Config.refresh();
kdc.writeKtab(OneKDC.KTAB);
KeyTab ktab = KeyTab.getInstance(OneKDC.KTAB);
for (int etype : EType.getBuiltInDefaults()) {
if (etype != EncryptedData.ETYPE_ARCFOUR_HMAC) {
ktab.deleteEntries(new PrincipalName(OneKDC.USER), etype, -1);
}
}
ktab.save();
if (System.getProperty("6932525") != null) {
// For 6932525 and 6951366, make sure the etypes sent in 2nd AS-REQ
// is not restricted to that of preauth
kdc.setOption(KDC.Option.ONLY_RC4_TGT, true);
}
if (System.getProperty("6959292") != null) {
// For 6959292, make sure that when etype for enc-part in 2nd AS-REQ
// is different from that of preauth, client can still decrypt it
kdc.setOption(KDC.Option.RC4_FIRST_PREAUTH, true);
}
x.go();
}
Also used :
KeyTab(sun.security.krb5.internal.ktab.KeyTab)
PrincipalName(sun.security.krb5.PrincipalName)
Example 19 with PrincipalName
use of sun.security.krb5.PrincipalName in project jdk8u_jdk by JetBrains.
the class Test method check.
static void check(String input, String output) throws Exception {
System.out.println(input + " -> " + output);
PrincipalName pn = new PrincipalName("host/" + input, PrincipalName.KRB_NT_SRV_HST);
if (!pn.getNameStrings()[1].equals(output)) {
throw new Exception("Output is " + pn);
}
}
Also used :
PrincipalName(sun.security.krb5.PrincipalName)
UnknownHostException(java.net.UnknownHostException)
Example 20 with PrincipalName
use of sun.security.krb5.PrincipalName in project jdk8u_jdk by JetBrains.
the class EmptyCC method main.
public static void main(String[] args) throws Exception {
final PrincipalName pn = new PrincipalName("dummy@FOO.COM");
final String ccache = args[0];
if (args.length == 1) {
// Main process, write the ccache and launch sub process
CredentialsCache cache = CredentialsCache.create(pn, ccache);
cache.save();
Proc p = Proc.create("EmptyCC").args(ccache, "readcc").env("KRB5CCNAME", ccache).start();
p.waitFor();
} else {
// Sub process, read the ccache
String cc = System.getenv("KRB5CCNAME");
if (!cc.equals(ccache)) {
throw new Exception("env not set correctly");
}
// Make sure the ccache is created with bare file name
if (CredentialsCache.getInstance() == null) {
throw new Exception("Cache not instantiated");
}
if (!new File("tmpcc").exists()) {
throw new Exception("File not found");
}
Credentials.acquireTGTFromCache(pn, null);
}
}
Also used :
CredentialsCache(sun.security.krb5.internal.ccache.CredentialsCache)
PrincipalName(sun.security.krb5.PrincipalName)
File(java.io.File)
Aggregations
PrincipalName (sun.security.krb5.PrincipalName)17
KeyTab (sun.security.krb5.internal.ktab.KeyTab)7
KrbException (sun.security.krb5.KrbException)6
EncryptionKey (sun.security.krb5.EncryptionKey)3
CredentialsCache (sun.security.krb5.internal.ccache.CredentialsCache)3
File (java.io.File)2
IOException (java.io.IOException)2
PrivilegedActionException (java.security.PrivilegedActionException)2
KerberosKey (javax.security.auth.kerberos.KerberosKey)2
KerberosPrincipal (javax.security.auth.kerberos.KerberosPrincipal)2
KerberosTicket (javax.security.auth.kerberos.KerberosTicket)2
ServicePermission (javax.security.auth.kerberos.ServicePermission)2
Realm (sun.security.krb5.Realm)2
RealmException (sun.security.krb5.RealmException)2
InvocationTargetException (java.lang.reflect.InvocationTargetException)1
BigInteger (java.math.BigInteger)1
UnknownHostException (java.net.UnknownHostException)1
LoginException (javax.security.auth.login.LoginException)1
GSSException (org.ietf.jgss.GSSException)1
ServiceCreds (sun.security.jgss.krb5.ServiceCreds)1
