Example 1 with AuthTimeWithHash
use of sun.security.krb5.internal.rcache.AuthTimeWithHash in project jdk8u_jdk by JetBrains.
the class ReplayCacheExpunge method main.
public static void main(String[] args) throws Exception {
// Make sure clockskew is default value
System.setProperty("java.security.krb5.conf", "nothing");
int count = Integer.parseInt(args[0]);
ReplayCache cache = ReplayCache.getInstance("dfl:./");
AuthTimeWithHash a1 = new AuthTimeWithHash(client, server, time(-400), 0, hash("1"));
AuthTimeWithHash a2 = new AuthTimeWithHash(client, server, time(0), 0, hash("4"));
KerberosTime now = new KerberosTime(time(0) * 1000L);
KerberosTime then = new KerberosTime(time(-300) * 1000L);
// Once upon a time, we added a lot of events
for (int i = 0; i < count; i++) {
a1 = new AuthTimeWithHash(client, server, time(-400), 0, hash(""));
cache.checkAndStore(then, a1);
}
// Now, we add a new one. If some conditions hold, the old ones
// will be expunged.
cache.checkAndStore(now, a2);
// and adding an old one will not trigger any error
cache.checkAndStore(now, a1);
}
Also used :
AuthTimeWithHash(sun.security.krb5.internal.rcache.AuthTimeWithHash)
ReplayCache(sun.security.krb5.internal.ReplayCache)
KerberosTime(sun.security.krb5.internal.KerberosTime)
Example 2 with AuthTimeWithHash
use of sun.security.krb5.internal.rcache.AuthTimeWithHash in project jdk8u_jdk by JetBrains.
the class KrbApReq method authenticate.
private void authenticate(Krb5AcceptCredential cred, InetAddress initiator) throws KrbException, IOException {
int encPartKeyType = apReqMessg.ticket.encPart.getEType();
Integer kvno = apReqMessg.ticket.encPart.getKeyVersionNumber();
EncryptionKey[] keys = cred.getKrb5EncryptionKeys(apReqMessg.ticket.sname);
EncryptionKey dkey = EncryptionKey.findKey(encPartKeyType, kvno, keys);
if (dkey == null) {
throw new KrbException(Krb5.API_INVALID_ARG, "Cannot find key of appropriate type to decrypt AP REP - " + EType.toString(encPartKeyType));
}
byte[] bytes = apReqMessg.ticket.encPart.decrypt(dkey, KeyUsage.KU_TICKET);
byte[] temp = apReqMessg.ticket.encPart.reset(bytes);
EncTicketPart enc_ticketPart = new EncTicketPart(temp);
checkPermittedEType(enc_ticketPart.key.getEType());
byte[] bytes2 = apReqMessg.authenticator.decrypt(enc_ticketPart.key, KeyUsage.KU_AP_REQ_AUTHENTICATOR);
byte[] temp2 = apReqMessg.authenticator.reset(bytes2);
authenticator = new Authenticator(temp2);
ctime = authenticator.ctime;
cusec = authenticator.cusec;
authenticator.ctime = authenticator.ctime.withMicroSeconds(authenticator.cusec);
if (!authenticator.cname.equals(enc_ticketPart.cname)) {
throw new KrbApErrException(Krb5.KRB_AP_ERR_BADMATCH);
}
if (!authenticator.ctime.inClockSkew())
throw new KrbApErrException(Krb5.KRB_AP_ERR_SKEW);
byte[] hash;
try {
hash = MessageDigest.getInstance("MD5").digest(apReqMessg.authenticator.cipher);
} catch (NoSuchAlgorithmException ex) {
throw new AssertionError("Impossible");
}
char[] h = new char[hash.length * 2];
for (int i = 0; i < hash.length; i++) {
h[2 * i] = hexConst[(hash[i] & 0xff) >> 4];
h[2 * i + 1] = hexConst[hash[i] & 0xf];
}
AuthTimeWithHash time = new AuthTimeWithHash(authenticator.cname.toString(), apReqMessg.ticket.sname.toString(), authenticator.ctime.getSeconds(), authenticator.cusec, new String(h));
rcache.checkAndStore(KerberosTime.now(), time);
if (initiator != null) {
// sender host address
HostAddress sender = new HostAddress(initiator);
if (enc_ticketPart.caddr != null && !enc_ticketPart.caddr.inList(sender)) {
if (DEBUG) {
System.out.println(">>> KrbApReq: initiator is " + sender.getInetAddress() + ", but caddr is " + Arrays.toString(enc_ticketPart.caddr.getInetAddresses()));
}
throw new KrbApErrException(Krb5.KRB_AP_ERR_BADADDR);
}
}
// XXX check for repeated authenticator
// if found
// throw new KrbApErrException(Krb5.KRB_AP_ERR_REPEAT);
// else
// save authenticator to check for later
KerberosTime now = KerberosTime.now();
if ((enc_ticketPart.starttime != null && enc_ticketPart.starttime.greaterThanWRTClockSkew(now)) || enc_ticketPart.flags.get(Krb5.TKT_OPTS_INVALID))
throw new KrbApErrException(Krb5.KRB_AP_ERR_TKT_NYV);
// than the allowable clock skew, throws ticket expired exception.
if (enc_ticketPart.endtime != null && now.greaterThanWRTClockSkew(enc_ticketPart.endtime)) {
throw new KrbApErrException(Krb5.KRB_AP_ERR_TKT_EXPIRED);
}
creds = new Credentials(apReqMessg.ticket, authenticator.cname, apReqMessg.ticket.sname, enc_ticketPart.key, enc_ticketPart.flags, enc_ticketPart.authtime, enc_ticketPart.starttime, enc_ticketPart.endtime, enc_ticketPart.renewTill, enc_ticketPart.caddr, enc_ticketPart.authorizationData);
if (DEBUG) {
System.out.println(">>> KrbApReq: authenticate succeed.");
}
}
Also used :
AuthTimeWithHash(sun.security.krb5.internal.rcache.AuthTimeWithHash)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
Example 3 with AuthTimeWithHash
use of sun.security.krb5.internal.rcache.AuthTimeWithHash in project jdk8u_jdk by JetBrains.
the class AuthList method put.
/**
* Puts the authenticator timestamp into the cache in descending order,
* and throw an exception if it's already there.
*/
public void put(AuthTimeWithHash t, KerberosTime currentTime) throws KrbApErrException {
if (entries.isEmpty()) {
entries.addFirst(t);
} else {
AuthTimeWithHash temp = entries.getFirst();
int cmp = temp.compareTo(t);
if (cmp < 0) {
// This is the most common case, newly received authenticator
// has larger timestamp.
entries.addFirst(t);
} else if (cmp == 0) {
throw new KrbApErrException(Krb5.KRB_AP_ERR_REPEAT);
} else {
//unless client clock being re-adjusted.
ListIterator<AuthTimeWithHash> it = entries.listIterator(1);
boolean found = false;
while (it.hasNext()) {
temp = it.next();
cmp = temp.compareTo(t);
if (cmp < 0) {
// Find an older one, put in front of it
entries.add(entries.indexOf(temp), t);
found = true;
break;
} else if (cmp == 0) {
throw new KrbApErrException(Krb5.KRB_AP_ERR_REPEAT);
}
}
if (!found) {
// All is newer than the newcomer. Sigh.
entries.addLast(t);
}
}
}
// let us cleanup while we are here
long timeLimit = currentTime.getSeconds() - lifespan;
ListIterator<AuthTimeWithHash> it = entries.listIterator(0);
AuthTimeWithHash temp = null;
int index = -1;
while (it.hasNext()) {
// search expired timestamps.
temp = it.next();
if (temp.ctime < timeLimit) {
index = entries.indexOf(temp);
break;
}
}
// It would be nice if LinkedList has a method called truncate(index).
if (index > -1) {
do {
// remove expired timestamps from the list.
entries.removeLast();
} while (entries.size() > index);
}
}
Also used :
ListIterator(java.util.ListIterator)
KrbApErrException(sun.security.krb5.internal.KrbApErrException)
Example 4 with AuthTimeWithHash
use of sun.security.krb5.internal.rcache.AuthTimeWithHash in project jdk8u_jdk by JetBrains.
the class ReplayCachePrecise method main.
public static void main(String[] args) throws Exception {
AuthTimeWithHash a1 = new AuthTimeWithHash(client, server, time(0), 0, "1111111111111111");
AuthTimeWithHash a2 = new AuthTimeWithHash(client, server, time(0), 0, "2222222222222222");
KerberosTime now = new KerberosTime(time(0) * 1000L);
// When all new styles, must exact match
ReplayCache cache = ReplayCache.getInstance("dfl:./c1");
cache.checkAndStore(now, a1);
cache.checkAndStore(now, a2);
// When only old style in cache, partial match
cache = ReplayCache.getInstance("dfl:./c2");
cache.checkAndStore(now, a1);
// A small surgery to remove the new style from the cache file
SeekableByteChannel ch = Files.newByteChannel(Paths.get("c2"), StandardOpenOption.WRITE, StandardOpenOption.READ);
ch.position(6);
ch.write(ByteBuffer.wrap(a1.encode(false)));
ch.truncate(ch.position());
ch.close();
try {
cache.checkAndStore(now, a2);
throw new Exception();
} catch (KrbException ke) {
// Correct
System.out.println(ke);
}
}
Also used :
AuthTimeWithHash(sun.security.krb5.internal.rcache.AuthTimeWithHash)
SeekableByteChannel(java.nio.channels.SeekableByteChannel)
ReplayCache(sun.security.krb5.internal.ReplayCache)
KrbException(sun.security.krb5.KrbException)
KerberosTime(sun.security.krb5.internal.KerberosTime)
KrbException(sun.security.krb5.KrbException)
Aggregations
AuthTimeWithHash (sun.security.krb5.internal.rcache.AuthTimeWithHash)3
KerberosTime (sun.security.krb5.internal.KerberosTime)2
ReplayCache (sun.security.krb5.internal.ReplayCache)2
SeekableByteChannel (java.nio.channels.SeekableByteChannel)1
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1
ListIterator (java.util.ListIterator)1
KrbException (sun.security.krb5.KrbException)1
KrbApErrException (sun.security.krb5.internal.KrbApErrException)1
