Search in sources :

Example 1 with sun.security.krb5.internal

use of sun.security.krb5.internal in project jdk8u_jdk by JetBrains.

the class Credentials method acquireTGTFromCache.

/**
     * Returns a TGT for the given client principal from a ticket cache.
     *
     * @param princ the client principal. A value of null means that the
     * default principal name in the credentials cache will be used.
     * @param ticketCache the path to the tickets file. A value
     * of null will be accepted to indicate that the default
     * path should be searched
     * @returns the TGT credentials or null if none were found. If the tgt
     * expired, it is the responsibility of the caller to determine this.
     */
public static Credentials acquireTGTFromCache(PrincipalName princ, String ticketCache) throws KrbException, IOException {
    if (ticketCache == null) {
        // The default ticket cache on Windows and Mac is not a file.
        String os = java.security.AccessController.doPrivileged(new sun.security.action.GetPropertyAction("os.name"));
        if (os.toUpperCase(Locale.ENGLISH).startsWith("WINDOWS") || os.toUpperCase(Locale.ENGLISH).contains("OS X")) {
            Credentials creds = acquireDefaultCreds();
            if (creds == null) {
                if (DEBUG) {
                    System.out.println(">>> Found no TGT's in LSA");
                }
                return null;
            }
            if (princ != null) {
                if (creds.getClient().equals(princ)) {
                    if (DEBUG) {
                        System.out.println(">>> Obtained TGT from LSA: " + creds);
                    }
                    return creds;
                } else {
                    if (DEBUG) {
                        System.out.println(">>> LSA contains TGT for " + creds.getClient() + " not " + princ);
                    }
                    return null;
                }
            } else {
                if (DEBUG) {
                    System.out.println(">>> Obtained TGT from LSA: " + creds);
                }
                return creds;
            }
        }
    }
    /*
         * Returns the appropriate cache. If ticketCache is null, it is the
         * default cache otherwise it is the cache filename contained in it.
         */
    CredentialsCache ccache = CredentialsCache.getInstance(princ, ticketCache);
    if (ccache == null) {
        return null;
    }
    sun.security.krb5.internal.ccache.Credentials tgtCred = ccache.getDefaultCreds();
    if (tgtCred == null) {
        return null;
    }
    if (EType.isSupported(tgtCred.getEType())) {
        return tgtCred.setKrbCreds();
    } else {
        if (DEBUG) {
            System.out.println(">>> unsupported key type found the default TGT: " + tgtCred.getEType());
        }
        return null;
    }
}
Also used : CredentialsCache(sun.security.krb5.internal.ccache.CredentialsCache)

Example 2 with sun.security.krb5.internal

use of sun.security.krb5.internal in project jdk8u_jdk by JetBrains.

the class Klist method displayCache.

void displayCache() {
    CredentialsCache cache = (CredentialsCache) target;
    sun.security.krb5.internal.ccache.Credentials[] creds = cache.getCredsList();
    if (creds == null) {
        System.out.println("No credentials available in the cache " + name);
        System.exit(-1);
    }
    System.out.println("\nCredentials cache: " + name);
    String defaultPrincipal = cache.getPrimaryPrincipal().toString();
    int num = creds.length;
    if (num == 1)
        System.out.println("\nDefault principal: " + defaultPrincipal + ", " + creds.length + " entry found.\n");
    else
        System.out.println("\nDefault principal: " + defaultPrincipal + ", " + creds.length + " entries found.\n");
    if (creds != null) {
        for (int i = 0; i < creds.length; i++) {
            try {
                String starttime;
                String endtime;
                String renewTill;
                String servicePrincipal;
                if (creds[i].getStartTime() != null) {
                    starttime = format(creds[i].getStartTime());
                } else {
                    starttime = format(creds[i].getAuthTime());
                }
                endtime = format(creds[i].getEndTime());
                servicePrincipal = creds[i].getServicePrincipal().toString();
                System.out.println("[" + (i + 1) + "] " + " Service Principal:  " + servicePrincipal);
                System.out.println("     Valid starting:     " + starttime);
                System.out.println("     Expires:            " + endtime);
                if (creds[i].getRenewTill() != null) {
                    renewTill = format(creds[i].getRenewTill());
                    System.out.println("     Renew until:        " + renewTill);
                }
                if (options[0] == 'e') {
                    String eskey = EType.toString(creds[i].getEType());
                    String etkt = EType.toString(creds[i].getTktEType());
                    System.out.println("     EType (skey, tkt):  " + eskey + ", " + etkt);
                }
                if (options[1] == 'f') {
                    System.out.println("     Flags:              " + creds[i].getTicketFlags().toString());
                }
                if (options[2] == 'a') {
                    boolean first = true;
                    InetAddress[] caddr = creds[i].setKrbCreds().getClientAddresses();
                    if (caddr != null) {
                        for (InetAddress ia : caddr) {
                            String out;
                            if (options[3] == 'n') {
                                out = ia.getHostAddress();
                            } else {
                                out = ia.getCanonicalHostName();
                            }
                            System.out.println("     " + (first ? "Addresses:" : "          ") + "       " + out);
                            first = false;
                        }
                    } else {
                        System.out.println("     [No host addresses info]");
                    }
                }
            } catch (RealmException e) {
                System.out.println("Error reading principal from " + "the entry.");
                if (DEBUG) {
                    e.printStackTrace();
                }
                System.exit(-1);
            }
        }
    } else {
        System.out.println("\nNo entries found.");
    }
}
Also used : sun.security.krb5.internal(sun.security.krb5.internal) InetAddress(java.net.InetAddress)

Example 3 with sun.security.krb5.internal

use of sun.security.krb5.internal in project jdk8u_jdk by JetBrains.

the class KDC method processAsReq.

/**
     * Processes a AS_REQ and generates a AS_REP (or KRB_ERROR)
     * @param in the request
     * @return the response
     * @throws java.lang.Exception for various errors
     */
protected byte[] processAsReq(byte[] in) throws Exception {
    ASReq asReq = new ASReq(in);
    int[] eTypes = null;
    List<PAData> outPAs = new ArrayList<>();
    PrincipalName service = asReq.reqBody.sname;
    if (options.containsKey(KDC.Option.RESP_NT)) {
        service = new PrincipalName((int) options.get(KDC.Option.RESP_NT), service.getNameStrings(), Realm.getDefault());
    }
    try {
        System.out.println(realm + "> " + asReq.reqBody.cname + " sends AS-REQ for " + service + ", " + asReq.reqBody.kdcOptions);
        KDCReqBody body = asReq.reqBody;
        eTypes = KDCReqBodyDotEType(body);
        int eType = eTypes[0];
        EncryptionKey ckey = keyForUser(body.cname, eType, false);
        EncryptionKey skey = keyForUser(service, eType, true);
        if (options.containsKey(KDC.Option.ONLY_RC4_TGT)) {
            int tgtEType = EncryptedData.ETYPE_ARCFOUR_HMAC;
            boolean found = false;
            for (int i = 0; i < eTypes.length; i++) {
                if (eTypes[i] == tgtEType) {
                    found = true;
                    break;
                }
            }
            if (!found) {
                throw new KrbException(Krb5.KDC_ERR_ETYPE_NOSUPP);
            }
            skey = keyForUser(service, tgtEType, true);
        }
        if (ckey == null) {
            throw new KrbException(Krb5.KDC_ERR_ETYPE_NOSUPP);
        }
        if (skey == null) {
            // TODO
            throw new KrbException(Krb5.KDC_ERR_SUMTYPE_NOSUPP);
        }
        // Session key
        EncryptionKey key = generateRandomKey(eType);
        // Check time, TODO
        KerberosTime till = body.till;
        if (till == null) {
            // TODO
            throw new KrbException(Krb5.KDC_ERR_NEVER_VALID);
        } else if (till.isZero()) {
            till = new KerberosTime(new Date().getTime() + 1000 * 3600 * 11);
        }
        //body.from
        boolean[] bFlags = new boolean[Krb5.TKT_OPTS_MAX + 1];
        if (body.kdcOptions.get(KDCOptions.FORWARDABLE)) {
            List<String> sensitives = (List<String>) options.get(Option.SENSITIVE_ACCOUNTS);
            if (sensitives != null && sensitives.contains(body.cname.toString())) {
            // Cannot make FORWARDABLE
            } else {
                bFlags[Krb5.TKT_OPTS_FORWARDABLE] = true;
            }
        }
        if (body.kdcOptions.get(KDCOptions.RENEWABLE)) {
            bFlags[Krb5.TKT_OPTS_RENEWABLE] = true;
        //renew = new KerberosTime(new Date().getTime() + 1000 * 3600 * 24 * 7);
        }
        if (body.kdcOptions.get(KDCOptions.PROXIABLE)) {
            bFlags[Krb5.TKT_OPTS_PROXIABLE] = true;
        }
        if (body.kdcOptions.get(KDCOptions.POSTDATED)) {
            bFlags[Krb5.TKT_OPTS_POSTDATED] = true;
        }
        if (body.kdcOptions.get(KDCOptions.ALLOW_POSTDATE)) {
            bFlags[Krb5.TKT_OPTS_MAY_POSTDATE] = true;
        }
        bFlags[Krb5.TKT_OPTS_INITIAL] = true;
        // Creating PA-DATA
        DerValue[] pas2 = null, pas = null;
        if (options.containsKey(KDC.Option.DUP_ETYPE)) {
            int n = (Integer) options.get(KDC.Option.DUP_ETYPE);
            switch(n) {
                case // customer's case in 7067974
                1:
                    pas2 = new DerValue[] { new DerValue(new ETypeInfo2(1, null, null).asn1Encode()), new DerValue(new ETypeInfo2(1, "", null).asn1Encode()), new DerValue(new ETypeInfo2(1, realm, new byte[] { 1 }).asn1Encode()) };
                    pas = new DerValue[] { new DerValue(new ETypeInfo(1, null).asn1Encode()), new DerValue(new ETypeInfo(1, "").asn1Encode()), new DerValue(new ETypeInfo(1, realm).asn1Encode()) };
                    break;
                case // we still reject non-null s2kparams and prefer E2 over E
                2:
                    pas2 = new DerValue[] { new DerValue(new ETypeInfo2(1, realm, new byte[] { 1 }).asn1Encode()), new DerValue(new ETypeInfo2(1, null, null).asn1Encode()), new DerValue(new ETypeInfo2(1, "", null).asn1Encode()) };
                    pas = new DerValue[] { new DerValue(new ETypeInfo(1, realm).asn1Encode()), new DerValue(new ETypeInfo(1, null).asn1Encode()), new DerValue(new ETypeInfo(1, "").asn1Encode()) };
                    break;
                case // but only E is wrong
                3:
                    pas = new DerValue[] { new DerValue(new ETypeInfo(1, realm).asn1Encode()), new DerValue(new ETypeInfo(1, null).asn1Encode()), new DerValue(new ETypeInfo(1, "").asn1Encode()) };
                    break;
                case // we also ignore rc4-hmac
                4:
                    pas = new DerValue[] { new DerValue(new ETypeInfo(23, "ANYTHING").asn1Encode()), new DerValue(new ETypeInfo(1, null).asn1Encode()), new DerValue(new ETypeInfo(1, "").asn1Encode()) };
                    break;
                case // "" should be wrong, but we accept it now
                5:
                    // See s.s.k.internal.PAData$SaltAndParams
                    pas = new DerValue[] { new DerValue(new ETypeInfo(1, "").asn1Encode()), new DerValue(new ETypeInfo(1, null).asn1Encode()) };
                    break;
            }
        } else {
            int[] epas = eTypes;
            if (options.containsKey(KDC.Option.RC4_FIRST_PREAUTH)) {
                for (int i = 1; i < epas.length; i++) {
                    if (epas[i] == EncryptedData.ETYPE_ARCFOUR_HMAC) {
                        epas[i] = epas[0];
                        epas[0] = EncryptedData.ETYPE_ARCFOUR_HMAC;
                        break;
                    }
                }
                ;
            } else if (options.containsKey(KDC.Option.ONLY_ONE_PREAUTH)) {
                epas = new int[] { eTypes[0] };
            }
            pas2 = new DerValue[epas.length];
            for (int i = 0; i < epas.length; i++) {
                pas2[i] = new DerValue(new ETypeInfo2(epas[i], epas[i] == EncryptedData.ETYPE_ARCFOUR_HMAC ? null : getSalt(body.cname), null).asn1Encode());
            }
            boolean allOld = true;
            for (int i : eTypes) {
                if (i == EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96 || i == EncryptedData.ETYPE_AES256_CTS_HMAC_SHA1_96) {
                    allOld = false;
                    break;
                }
            }
            if (allOld) {
                pas = new DerValue[epas.length];
                for (int i = 0; i < epas.length; i++) {
                    pas[i] = new DerValue(new ETypeInfo(epas[i], epas[i] == EncryptedData.ETYPE_ARCFOUR_HMAC ? null : getSalt(body.cname)).asn1Encode());
                }
            }
        }
        DerOutputStream eid;
        if (pas2 != null) {
            eid = new DerOutputStream();
            eid.putSequence(pas2);
            outPAs.add(new PAData(Krb5.PA_ETYPE_INFO2, eid.toByteArray()));
        }
        if (pas != null) {
            eid = new DerOutputStream();
            eid.putSequence(pas);
            outPAs.add(new PAData(Krb5.PA_ETYPE_INFO, eid.toByteArray()));
        }
        PAData[] inPAs = KDCReqDotPAData(asReq);
        if (inPAs == null || inPAs.length == 0) {
            Object preauth = options.get(Option.PREAUTH_REQUIRED);
            if (preauth == null || preauth.equals(Boolean.TRUE)) {
                throw new KrbException(Krb5.KDC_ERR_PREAUTH_REQUIRED);
            }
        } else {
            try {
                EncryptedData data = newEncryptedData(new DerValue(inPAs[0].getValue()));
                EncryptionKey pakey = keyForUser(body.cname, data.getEType(), false);
                data.decrypt(pakey, KeyUsage.KU_PA_ENC_TS);
            } catch (Exception e) {
                throw new KrbException(Krb5.KDC_ERR_PREAUTH_FAILED);
            }
            bFlags[Krb5.TKT_OPTS_PRE_AUTHENT] = true;
        }
        TicketFlags tFlags = new TicketFlags(bFlags);
        EncTicketPart enc = new EncTicketPart(tFlags, key, body.cname, new TransitedEncoding(1, new byte[0]), new KerberosTime(new Date()), body.from, till, body.rtime, body.addresses, null);
        Ticket t = new Ticket(service, new EncryptedData(skey, enc.asn1Encode(), KeyUsage.KU_TICKET));
        EncASRepPart enc_part = new EncASRepPart(key, new LastReq(new LastReqEntry[] { new LastReqEntry(0, new KerberosTime(new Date().getTime() - 10000)) }), // TODO: detect replay?
        body.getNonce(), new KerberosTime(new Date().getTime() + 1000 * 3600 * 24), // Next 5 and last MUST be same with ticket
        tFlags, new KerberosTime(new Date()), body.from, till, body.rtime, service, body.addresses);
        EncryptedData edata = new EncryptedData(ckey, enc_part.asn1Encode(), KeyUsage.KU_ENC_AS_REP_PART);
        ASRep asRep = new ASRep(outPAs.toArray(new PAData[outPAs.size()]), body.cname, t, edata);
        System.out.println("     Return " + asRep.cname + " ticket for " + asRep.ticket.sname + ", flags " + tFlags);
        DerOutputStream out = new DerOutputStream();
        out.write(DerValue.createTag(DerValue.TAG_APPLICATION, true, (byte) Krb5.KRB_AS_REP), asRep.asn1Encode());
        byte[] result = out.toByteArray();
        // Added feature:
        // Write the current issuing TGT into a ccache file specified
        // by the system property below.
        String ccache = System.getProperty("test.kdc.save.ccache");
        if (ccache != null) {
            asRep.encKDCRepPart = enc_part;
            sun.security.krb5.internal.ccache.Credentials credentials = new sun.security.krb5.internal.ccache.Credentials(asRep);
            CredentialsCache cache = CredentialsCache.create(asReq.reqBody.cname, ccache);
            if (cache == null) {
                throw new IOException("Unable to create the cache file " + ccache);
            }
            cache.update(credentials);
            cache.save();
        }
        return result;
    } catch (KrbException ke) {
        ke.printStackTrace(System.out);
        KRBError kerr = ke.getError();
        KDCReqBody body = asReq.reqBody;
        System.out.println("     Error " + ke.returnCode() + " " + ke.returnCodeMessage());
        byte[] eData = null;
        if (kerr == null) {
            if (ke.returnCode() == Krb5.KDC_ERR_PREAUTH_REQUIRED || ke.returnCode() == Krb5.KDC_ERR_PREAUTH_FAILED) {
                DerOutputStream bytes = new DerOutputStream();
                bytes.write(new PAData(Krb5.PA_ENC_TIMESTAMP, new byte[0]).asn1Encode());
                for (PAData p : outPAs) {
                    bytes.write(p.asn1Encode());
                }
                DerOutputStream temp = new DerOutputStream();
                temp.write(DerValue.tag_Sequence, bytes);
                eData = temp.toByteArray();
            }
            kerr = new KRBError(null, null, null, new KerberosTime(new Date()), 0, ke.returnCode(), body.cname, service, KrbException.errorMessage(ke.returnCode()), eData);
        }
        return kerr.asn1Encode();
    }
}
Also used : sun.security.krb5.internal(sun.security.krb5.internal) sun.security.krb5(sun.security.krb5) DerOutputStream(sun.security.util.DerOutputStream) CredentialsCache(sun.security.krb5.internal.ccache.CredentialsCache) DerValue(sun.security.util.DerValue) InvocationTargetException(java.lang.reflect.InvocationTargetException)

Example 4 with sun.security.krb5.internal

use of sun.security.krb5.internal in project jdk8u_jdk by JetBrains.

the class TimeInCCache method main.

public static void main(String[] args) throws Exception {
    // test code changes in DEBUG
    System.setProperty("sun.security.krb5.debug", "true");
    CCacheInputStream cis = new CCacheInputStream(new ByteArrayInputStream(ccache));
    cis.readVersion();
    cis.readTag();
    cis.readPrincipal(0x504);
    Method m = CCacheInputStream.class.getDeclaredMethod("readCred", Integer.TYPE);
    m.setAccessible(true);
    Credentials c = (Credentials) m.invoke(cis, new Integer(0x504));
    sun.security.krb5.Credentials cc = c.setKrbCreds();
    // 1. Make sure starttime is still null
    if (cc.getStartTime() != null) {
        throw new Exception("Fail, starttime should be zero here");
    }
    // 2. Make sure renewTill is still null
    if (cc.getRenewTill() != null) {
        throw new Exception("Fail, renewTill should be zero here");
    }
    // 3. Make sure isValid works
    c.isValid();
}
Also used : CCacheInputStream(sun.security.krb5.internal.ccache.CCacheInputStream) ByteArrayInputStream(java.io.ByteArrayInputStream) Method(java.lang.reflect.Method) Credentials(sun.security.krb5.internal.ccache.Credentials)

Aggregations

sun.security.krb5.internal (sun.security.krb5.internal)2 CredentialsCache (sun.security.krb5.internal.ccache.CredentialsCache)2 ByteArrayInputStream (java.io.ByteArrayInputStream)1 InvocationTargetException (java.lang.reflect.InvocationTargetException)1 Method (java.lang.reflect.Method)1 InetAddress (java.net.InetAddress)1 sun.security.krb5 (sun.security.krb5)1 CCacheInputStream (sun.security.krb5.internal.ccache.CCacheInputStream)1 Credentials (sun.security.krb5.internal.ccache.Credentials)1 DerOutputStream (sun.security.util.DerOutputStream)1 DerValue (sun.security.util.DerValue)1