Example 11 with Realm
use of sun.security.krb5.Realm in project jdk8u_jdk by JetBrains.
the class KRBError method init.
/**
* Initializes a KRBError object.
* @param encoding a DER-encoded data.
* @exception Asn1Exception if an error occurs while decoding an ASN1 encoded data.
* @exception IOException if an I/O error occurs while reading encoded data.
* @exception KrbApErrException if the value read from the DER-encoded data
* stream does not match the pre-defined value.
* @exception RealmException if an error occurs while parsing a Realm object.
*/
private void init(DerValue encoding) throws Asn1Exception, RealmException, KrbApErrException, IOException {
DerValue der, subDer;
if (((encoding.getTag() & (byte) 0x1F) != (byte) 0x1E) || (encoding.isApplication() != true) || (encoding.isConstructed() != true)) {
throw new Asn1Exception(Krb5.ASN1_BAD_ID);
}
der = encoding.getData().getDerValue();
if (der.getTag() != DerValue.tag_Sequence) {
throw new Asn1Exception(Krb5.ASN1_BAD_ID);
}
subDer = der.getData().getDerValue();
if ((subDer.getTag() & (byte) 0x1F) == (byte) 0x00) {
pvno = subDer.getData().getBigInteger().intValue();
if (pvno != Krb5.PVNO)
throw new KrbApErrException(Krb5.KRB_AP_ERR_BADVERSION);
} else {
throw new Asn1Exception(Krb5.ASN1_BAD_ID);
}
subDer = der.getData().getDerValue();
if ((subDer.getTag() & (byte) 0x1F) == (byte) 0x01) {
msgType = subDer.getData().getBigInteger().intValue();
if (msgType != Krb5.KRB_ERROR) {
throw new KrbApErrException(Krb5.KRB_AP_ERR_MSG_TYPE);
}
} else {
throw new Asn1Exception(Krb5.ASN1_BAD_ID);
}
cTime = KerberosTime.parse(der.getData(), (byte) 0x02, true);
if ((der.getData().peekByte() & 0x1F) == 0x03) {
subDer = der.getData().getDerValue();
cuSec = new Integer(subDer.getData().getBigInteger().intValue());
} else
cuSec = null;
sTime = KerberosTime.parse(der.getData(), (byte) 0x04, false);
subDer = der.getData().getDerValue();
if ((subDer.getTag() & (byte) 0x1F) == (byte) 0x05) {
suSec = new Integer(subDer.getData().getBigInteger().intValue());
} else
throw new Asn1Exception(Krb5.ASN1_BAD_ID);
subDer = der.getData().getDerValue();
if ((subDer.getTag() & (byte) 0x1F) == (byte) 0x06) {
errorCode = subDer.getData().getBigInteger().intValue();
} else
throw new Asn1Exception(Krb5.ASN1_BAD_ID);
Realm crealm = Realm.parse(der.getData(), (byte) 0x07, true);
cname = PrincipalName.parse(der.getData(), (byte) 0x08, true, crealm);
Realm realm = Realm.parse(der.getData(), (byte) 0x09, false);
sname = PrincipalName.parse(der.getData(), (byte) 0x0A, false, realm);
eText = null;
eData = null;
eCksum = null;
if (der.getData().available() > 0) {
if ((der.getData().peekByte() & 0x1F) == 0x0B) {
subDer = der.getData().getDerValue();
eText = new KerberosString(subDer.getData().getDerValue()).toString();
}
}
if (der.getData().available() > 0) {
if ((der.getData().peekByte() & 0x1F) == 0x0C) {
subDer = der.getData().getDerValue();
eData = subDer.getData().getOctetString();
}
}
if (der.getData().available() > 0) {
eCksum = Checksum.parse(der.getData(), (byte) 0x0D, true);
}
if (der.getData().available() > 0)
throw new Asn1Exception(Krb5.ASN1_BAD_ID);
}
Also used :
BigInteger(java.math.BigInteger)
KerberosString(sun.security.krb5.internal.util.KerberosString)
Asn1Exception(sun.security.krb5.Asn1Exception)
Realm(sun.security.krb5.Realm)
Example 12 with Realm
use of sun.security.krb5.Realm in project jdk8u_jdk by JetBrains.
the class KeyTabInputStream method readEntry.
KeyTabEntry readEntry(int entryLen, int ktVersion) throws IOException, RealmException {
index = entryLen;
if (index == 0) {
//in native implementation, when the last entry is deleted, a byte 0 is left.
return null;
}
if (index < 0) {
//in native implementation, when one of the entries is deleted, the entry length turns to be negative, and
//the fields are left with 0 bytes
skip(Math.abs(index));
return null;
}
//the number of service names.
int principalNum = read(2);
index -= 2;
if (ktVersion == KRB5_KT_VNO_1) {
//V1 includes realm in the count.
principalNum -= 1;
}
Realm realm = new Realm(readName());
String[] nameParts = new String[principalNum];
for (int i = 0; i < principalNum; i++) {
nameParts[i] = readName();
}
int nameType = read(4);
index -= 4;
PrincipalName service = new PrincipalName(nameType, nameParts, realm);
KerberosTime timeStamp = readTimeStamp();
int keyVersion = read() & 0xff;
index -= 1;
int keyType = read(2);
index -= 2;
int keyLength = read(2);
index -= 2;
byte[] keyblock = readKey(keyLength);
index -= keyLength;
// right, otherwise trust the new nonzero value.
if (index >= 4) {
int extKvno = read(4);
if (extKvno != 0) {
keyVersion = extKvno;
}
index -= 4;
}
// if index is negative, the keytab format must be wrong.
if (index < 0) {
throw new RealmException("Keytab is corrupted");
}
// ignore the left bytes.
skip(index);
return new KeyTabEntry(service, realm, timeStamp, keyVersion, keyType, keyblock);
}
Also used :
PrincipalName(sun.security.krb5.PrincipalName)
Realm(sun.security.krb5.Realm)
RealmException(sun.security.krb5.RealmException)
Example 13 with Realm
use of sun.security.krb5.Realm in project jdk8u_jdk by JetBrains.
the class KerberosClientKeyExchangeImpl method getServiceTicket.
// Similar to sun.security.jgss.krb5.Krb5InitCredenetial/Krb5Context
private static KerberosTicket getServiceTicket(String serverName, final AccessControlContext acc) throws IOException {
if ("localhost".equals(serverName) || "localhost.localdomain".equals(serverName)) {
if (debug != null && Debug.isOn("handshake")) {
System.out.println("Get the local hostname");
}
String localHost = java.security.AccessController.doPrivileged(new java.security.PrivilegedAction<String>() {
public String run() {
try {
return InetAddress.getLocalHost().getHostName();
} catch (java.net.UnknownHostException e) {
if (debug != null && Debug.isOn("handshake")) {
System.out.println("Warning," + " cannot get the local hostname: " + e.getMessage());
}
return null;
}
}
});
if (localHost != null) {
serverName = localHost;
}
}
// Resolve serverName (possibly in IP addr form) to Kerberos principal
// name for service with hostname
String serviceName = "host/" + serverName;
PrincipalName principal;
try {
principal = new PrincipalName(serviceName, PrincipalName.KRB_NT_SRV_HST);
} catch (SecurityException se) {
throw se;
} catch (Exception e) {
IOException ioe = new IOException("Invalid service principal" + " name: " + serviceName);
ioe.initCause(e);
throw ioe;
}
String realm = principal.getRealmAsString();
final String serverPrincipal = principal.toString();
final String tgsPrincipal = "krbtgt/" + realm + "@" + realm;
// use default
final String clientPrincipal = null;
// check permission to obtain a service ticket to initiate a
// context with the "host" service
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
sm.checkPermission(new ServicePermission(serverPrincipal, "initiate"), acc);
}
try {
KerberosTicket ticket = AccessController.doPrivileged(new PrivilegedExceptionAction<KerberosTicket>() {
public KerberosTicket run() throws Exception {
return Krb5Util.getTicketFromSubjectAndTgs(GSSCaller.CALLER_SSL_CLIENT, clientPrincipal, serverPrincipal, tgsPrincipal, acc);
}
});
if (ticket == null) {
throw new IOException("Failed to find any kerberos service" + " ticket for " + serverPrincipal);
}
return ticket;
} catch (PrivilegedActionException e) {
IOException ioe = new IOException("Attempt to obtain kerberos service ticket for " + serverPrincipal + " failed!");
ioe.initCause(e);
throw ioe;
}
}
Also used :
KerberosTicket(javax.security.auth.kerberos.KerberosTicket)
PrivilegedActionException(java.security.PrivilegedActionException)
PrincipalName(sun.security.krb5.PrincipalName)
IOException(java.io.IOException)
KrbException(sun.security.krb5.KrbException)
PrivilegedActionException(java.security.PrivilegedActionException)
IOException(java.io.IOException)
ServicePermission(javax.security.auth.kerberos.ServicePermission)
Example 14 with Realm
use of sun.security.krb5.Realm in project jdk8u_jdk by JetBrains.
the class KDC method processAsReq.
/**
* Processes a AS_REQ and generates a AS_REP (or KRB_ERROR)
* @param in the request
* @return the response
* @throws java.lang.Exception for various errors
*/
protected byte[] processAsReq(byte[] in) throws Exception {
ASReq asReq = new ASReq(in);
int[] eTypes = null;
List<PAData> outPAs = new ArrayList<>();
PrincipalName service = asReq.reqBody.sname;
if (options.containsKey(KDC.Option.RESP_NT)) {
service = new PrincipalName((int) options.get(KDC.Option.RESP_NT), service.getNameStrings(), Realm.getDefault());
}
try {
System.out.println(realm + "> " + asReq.reqBody.cname + " sends AS-REQ for " + service + ", " + asReq.reqBody.kdcOptions);
KDCReqBody body = asReq.reqBody;
eTypes = KDCReqBodyDotEType(body);
int eType = eTypes[0];
EncryptionKey ckey = keyForUser(body.cname, eType, false);
EncryptionKey skey = keyForUser(service, eType, true);
if (options.containsKey(KDC.Option.ONLY_RC4_TGT)) {
int tgtEType = EncryptedData.ETYPE_ARCFOUR_HMAC;
boolean found = false;
for (int i = 0; i < eTypes.length; i++) {
if (eTypes[i] == tgtEType) {
found = true;
break;
}
}
if (!found) {
throw new KrbException(Krb5.KDC_ERR_ETYPE_NOSUPP);
}
skey = keyForUser(service, tgtEType, true);
}
if (ckey == null) {
throw new KrbException(Krb5.KDC_ERR_ETYPE_NOSUPP);
}
if (skey == null) {
// TODO
throw new KrbException(Krb5.KDC_ERR_SUMTYPE_NOSUPP);
}
// Session key
EncryptionKey key = generateRandomKey(eType);
// Check time, TODO
KerberosTime till = body.till;
if (till == null) {
// TODO
throw new KrbException(Krb5.KDC_ERR_NEVER_VALID);
} else if (till.isZero()) {
till = new KerberosTime(new Date().getTime() + 1000 * 3600 * 11);
}
//body.from
boolean[] bFlags = new boolean[Krb5.TKT_OPTS_MAX + 1];
if (body.kdcOptions.get(KDCOptions.FORWARDABLE)) {
List<String> sensitives = (List<String>) options.get(Option.SENSITIVE_ACCOUNTS);
if (sensitives != null && sensitives.contains(body.cname.toString())) {
// Cannot make FORWARDABLE
} else {
bFlags[Krb5.TKT_OPTS_FORWARDABLE] = true;
}
}
if (body.kdcOptions.get(KDCOptions.RENEWABLE)) {
bFlags[Krb5.TKT_OPTS_RENEWABLE] = true;
//renew = new KerberosTime(new Date().getTime() + 1000 * 3600 * 24 * 7);
}
if (body.kdcOptions.get(KDCOptions.PROXIABLE)) {
bFlags[Krb5.TKT_OPTS_PROXIABLE] = true;
}
if (body.kdcOptions.get(KDCOptions.POSTDATED)) {
bFlags[Krb5.TKT_OPTS_POSTDATED] = true;
}
if (body.kdcOptions.get(KDCOptions.ALLOW_POSTDATE)) {
bFlags[Krb5.TKT_OPTS_MAY_POSTDATE] = true;
}
bFlags[Krb5.TKT_OPTS_INITIAL] = true;
// Creating PA-DATA
DerValue[] pas2 = null, pas = null;
if (options.containsKey(KDC.Option.DUP_ETYPE)) {
int n = (Integer) options.get(KDC.Option.DUP_ETYPE);
switch(n) {
case // customer's case in 7067974
1:
pas2 = new DerValue[] { new DerValue(new ETypeInfo2(1, null, null).asn1Encode()), new DerValue(new ETypeInfo2(1, "", null).asn1Encode()), new DerValue(new ETypeInfo2(1, realm, new byte[] { 1 }).asn1Encode()) };
pas = new DerValue[] { new DerValue(new ETypeInfo(1, null).asn1Encode()), new DerValue(new ETypeInfo(1, "").asn1Encode()), new DerValue(new ETypeInfo(1, realm).asn1Encode()) };
break;
case // we still reject non-null s2kparams and prefer E2 over E
2:
pas2 = new DerValue[] { new DerValue(new ETypeInfo2(1, realm, new byte[] { 1 }).asn1Encode()), new DerValue(new ETypeInfo2(1, null, null).asn1Encode()), new DerValue(new ETypeInfo2(1, "", null).asn1Encode()) };
pas = new DerValue[] { new DerValue(new ETypeInfo(1, realm).asn1Encode()), new DerValue(new ETypeInfo(1, null).asn1Encode()), new DerValue(new ETypeInfo(1, "").asn1Encode()) };
break;
case // but only E is wrong
3:
pas = new DerValue[] { new DerValue(new ETypeInfo(1, realm).asn1Encode()), new DerValue(new ETypeInfo(1, null).asn1Encode()), new DerValue(new ETypeInfo(1, "").asn1Encode()) };
break;
case // we also ignore rc4-hmac
4:
pas = new DerValue[] { new DerValue(new ETypeInfo(23, "ANYTHING").asn1Encode()), new DerValue(new ETypeInfo(1, null).asn1Encode()), new DerValue(new ETypeInfo(1, "").asn1Encode()) };
break;
case // "" should be wrong, but we accept it now
5:
// See s.s.k.internal.PAData$SaltAndParams
pas = new DerValue[] { new DerValue(new ETypeInfo(1, "").asn1Encode()), new DerValue(new ETypeInfo(1, null).asn1Encode()) };
break;
}
} else {
int[] epas = eTypes;
if (options.containsKey(KDC.Option.RC4_FIRST_PREAUTH)) {
for (int i = 1; i < epas.length; i++) {
if (epas[i] == EncryptedData.ETYPE_ARCFOUR_HMAC) {
epas[i] = epas[0];
epas[0] = EncryptedData.ETYPE_ARCFOUR_HMAC;
break;
}
}
;
} else if (options.containsKey(KDC.Option.ONLY_ONE_PREAUTH)) {
epas = new int[] { eTypes[0] };
}
pas2 = new DerValue[epas.length];
for (int i = 0; i < epas.length; i++) {
pas2[i] = new DerValue(new ETypeInfo2(epas[i], epas[i] == EncryptedData.ETYPE_ARCFOUR_HMAC ? null : getSalt(body.cname), null).asn1Encode());
}
boolean allOld = true;
for (int i : eTypes) {
if (i == EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96 || i == EncryptedData.ETYPE_AES256_CTS_HMAC_SHA1_96) {
allOld = false;
break;
}
}
if (allOld) {
pas = new DerValue[epas.length];
for (int i = 0; i < epas.length; i++) {
pas[i] = new DerValue(new ETypeInfo(epas[i], epas[i] == EncryptedData.ETYPE_ARCFOUR_HMAC ? null : getSalt(body.cname)).asn1Encode());
}
}
}
DerOutputStream eid;
if (pas2 != null) {
eid = new DerOutputStream();
eid.putSequence(pas2);
outPAs.add(new PAData(Krb5.PA_ETYPE_INFO2, eid.toByteArray()));
}
if (pas != null) {
eid = new DerOutputStream();
eid.putSequence(pas);
outPAs.add(new PAData(Krb5.PA_ETYPE_INFO, eid.toByteArray()));
}
PAData[] inPAs = KDCReqDotPAData(asReq);
if (inPAs == null || inPAs.length == 0) {
Object preauth = options.get(Option.PREAUTH_REQUIRED);
if (preauth == null || preauth.equals(Boolean.TRUE)) {
throw new KrbException(Krb5.KDC_ERR_PREAUTH_REQUIRED);
}
} else {
try {
EncryptedData data = newEncryptedData(new DerValue(inPAs[0].getValue()));
EncryptionKey pakey = keyForUser(body.cname, data.getEType(), false);
data.decrypt(pakey, KeyUsage.KU_PA_ENC_TS);
} catch (Exception e) {
throw new KrbException(Krb5.KDC_ERR_PREAUTH_FAILED);
}
bFlags[Krb5.TKT_OPTS_PRE_AUTHENT] = true;
}
TicketFlags tFlags = new TicketFlags(bFlags);
EncTicketPart enc = new EncTicketPart(tFlags, key, body.cname, new TransitedEncoding(1, new byte[0]), new KerberosTime(new Date()), body.from, till, body.rtime, body.addresses, null);
Ticket t = new Ticket(service, new EncryptedData(skey, enc.asn1Encode(), KeyUsage.KU_TICKET));
EncASRepPart enc_part = new EncASRepPart(key, new LastReq(new LastReqEntry[] { new LastReqEntry(0, new KerberosTime(new Date().getTime() - 10000)) }), // TODO: detect replay?
body.getNonce(), new KerberosTime(new Date().getTime() + 1000 * 3600 * 24), // Next 5 and last MUST be same with ticket
tFlags, new KerberosTime(new Date()), body.from, till, body.rtime, service, body.addresses);
EncryptedData edata = new EncryptedData(ckey, enc_part.asn1Encode(), KeyUsage.KU_ENC_AS_REP_PART);
ASRep asRep = new ASRep(outPAs.toArray(new PAData[outPAs.size()]), body.cname, t, edata);
System.out.println(" Return " + asRep.cname + " ticket for " + asRep.ticket.sname + ", flags " + tFlags);
DerOutputStream out = new DerOutputStream();
out.write(DerValue.createTag(DerValue.TAG_APPLICATION, true, (byte) Krb5.KRB_AS_REP), asRep.asn1Encode());
byte[] result = out.toByteArray();
// Added feature:
// Write the current issuing TGT into a ccache file specified
// by the system property below.
String ccache = System.getProperty("test.kdc.save.ccache");
if (ccache != null) {
asRep.encKDCRepPart = enc_part;
sun.security.krb5.internal.ccache.Credentials credentials = new sun.security.krb5.internal.ccache.Credentials(asRep);
CredentialsCache cache = CredentialsCache.create(asReq.reqBody.cname, ccache);
if (cache == null) {
throw new IOException("Unable to create the cache file " + ccache);
}
cache.update(credentials);
cache.save();
}
return result;
} catch (KrbException ke) {
ke.printStackTrace(System.out);
KRBError kerr = ke.getError();
KDCReqBody body = asReq.reqBody;
System.out.println(" Error " + ke.returnCode() + " " + ke.returnCodeMessage());
byte[] eData = null;
if (kerr == null) {
if (ke.returnCode() == Krb5.KDC_ERR_PREAUTH_REQUIRED || ke.returnCode() == Krb5.KDC_ERR_PREAUTH_FAILED) {
DerOutputStream bytes = new DerOutputStream();
bytes.write(new PAData(Krb5.PA_ENC_TIMESTAMP, new byte[0]).asn1Encode());
for (PAData p : outPAs) {
bytes.write(p.asn1Encode());
}
DerOutputStream temp = new DerOutputStream();
temp.write(DerValue.tag_Sequence, bytes);
eData = temp.toByteArray();
}
kerr = new KRBError(null, null, null, new KerberosTime(new Date()), 0, ke.returnCode(), body.cname, service, KrbException.errorMessage(ke.returnCode()), eData);
}
return kerr.asn1Encode();
}
}
Also used :
sun.security.krb5.internal(sun.security.krb5.internal)
sun.security.krb5(sun.security.krb5)
DerOutputStream(sun.security.util.DerOutputStream)
CredentialsCache(sun.security.krb5.internal.ccache.CredentialsCache)
DerValue(sun.security.util.DerValue)
InvocationTargetException(java.lang.reflect.InvocationTargetException)
Example 15 with Realm
use of sun.security.krb5.Realm in project jdk8u_jdk by JetBrains.
the class DNS method main.
public static void main(String[] args) throws Exception {
System.setProperty("java.security.krb5.conf", System.getProperty("test.src", ".") + "/no-such-file.conf");
Config config = Config.getInstance();
try {
String r = config.getDefaultRealm();
throw new Exception("What? There is a default realm " + r + "?");
} catch (KrbException ke) {
ke.printStackTrace();
if (ke.getCause() != null) {
throw new Exception("There should be no cause. Won't try DNS");
}
}
String kdcs = config.getKDCList("X");
if (!kdcs.equals("a.com.:88 b.com.:99") && !kdcs.equals("a.com. b.com.:99")) {
throw new Exception("Strange KDC: [" + kdcs + "]");
}
;
}
Also used :
Config(sun.security.krb5.Config)
KrbException(sun.security.krb5.KrbException)
KrbException(sun.security.krb5.KrbException)
Aggregations
PrincipalName (sun.security.krb5.PrincipalName)5
KerberosString (sun.security.krb5.internal.util.KerberosString)5
Asn1Exception (sun.security.krb5.Asn1Exception)4
KrbException (sun.security.krb5.KrbException)4
Realm (sun.security.krb5.Realm)4
BigInteger (java.math.BigInteger)3
Config (sun.security.krb5.Config)2
IOException (java.io.IOException)1
InvocationTargetException (java.lang.reflect.InvocationTargetException)1
PrivilegedActionException (java.security.PrivilegedActionException)1
Vector (java.util.Vector)1
KerberosTicket (javax.security.auth.kerberos.KerberosTicket)1
ServicePermission (javax.security.auth.kerberos.ServicePermission)1
sun.security.krb5 (sun.security.krb5)1
RealmException (sun.security.krb5.RealmException)1
sun.security.krb5.internal (sun.security.krb5.internal)1
CredentialsCache (sun.security.krb5.internal.ccache.CredentialsCache)1
DerOutputStream (sun.security.util.DerOutputStream)1
DerValue (sun.security.util.DerValue)1
