Author: erodriguez
Date: Sat Oct 30 19:09:18 2004
New Revision: 56108
Modified:
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/AuthenticationService.java
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/DefaultConfig.java
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/TicketGrantingService.java
Log:
Updated service workflow classes to use KerberosPrincipals.
Modified:
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/AuthenticationService.java
==============================================================================
---
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/AuthenticationService.java
(original)
+++
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/AuthenticationService.java
Sat Oct 30 19:09:18 2004
@@ -23,6 +23,8 @@
import org.apache.kerberos.messages.components.*;
import org.apache.kerberos.messages.value.*;
+import javax.security.auth.kerberos.*;
+
public class AuthenticationService {
private PrincipalStore _store;
@@ -34,47 +36,44 @@
public AuthenticationReply getReplyFor(KdcRequest request) throws
KerberosException {
- Realm realm = request.getRealm();
-
- PrincipalName client = request.getCname();
- client.setRealm(realm);
+ KerberosPrincipal clientPrincipal =
request.getClientPrincipal();
- System.out.println("Client: " + client.getNameString());
- PrincipalStoreEntry clientEntry = _bootstrap.getEntry(client);
+ System.out.println("Client: " + clientPrincipal.toString());
+ PrincipalStoreEntry clientEntry =
_bootstrap.getEntry(clientPrincipal);
EncryptionKey clientKey;
if (clientEntry != null) {
clientKey = clientEntry.getEncryptionKey();
} else {
System.out.println("Going to look up client");
- clientKey = _store.getEntry(client).getEncryptionKey();
+ clientKey =
_store.getEntry(clientPrincipal).getEncryptionKey();
}
- PrincipalName server = request.getSname();
- server.setRealm(realm);
+ KerberosPrincipal serverPrincipal =
request.getServerPrincipal();
- System.out.println("Server: " + server.getNameString());
- PrincipalStoreEntry serverEntry = _bootstrap.getEntry(server);
+ System.out.println("Server: " + serverPrincipal.toString());
+ PrincipalStoreEntry serverEntry =
_bootstrap.getEntry(serverPrincipal);
EncryptionKey serverKey;
if (serverEntry != null) {
serverKey = serverEntry.getEncryptionKey();
} else {
System.out.println("Going to look up client");
- serverKey = _store.getEntry(server).getEncryptionKey();
+ serverKey =
_store.getEntry(serverPrincipal).getEncryptionKey();
}
- verifyPreAuthentication(request, client);
+ verifyPreAuthentication(request, clientPrincipal);
- Ticket ticket = getTicket(request);
- encryptTicketPart(ticket, serverKey);
+ Ticket ticket = getNewTicket(request, serverKey);
AuthenticationReply reply = getAuthenticationReply(request,
ticket);
encryptReplyPart(reply, clientKey);
- System.out.print("Got request from client " + client.toString()
+ " ");
- System.out.println("for access to " + server.toString());
+
+ System.out.print("Got request from client " +
clientPrincipal.toString() + " ");
+ System.out.println("for access to " +
serverPrincipal.toString());
+
return reply;
}
// TODO - currently no support for pre-auth; requires server store
support
- private void verifyPreAuthentication(KdcRequest request, PrincipalName
client) {
+ private void verifyPreAuthentication(KdcRequest request,
KerberosPrincipal clientPrincipal) {
/*
if(client.pa_enc_timestamp_required and
pa_enc_timestamp not present) then
@@ -111,22 +110,20 @@
}
// TODO - client and server parameters; requires store
- private Ticket getTicket(KdcRequest request) throws KerberosException {
+ private Ticket getNewTicket(KdcRequest request, EncryptionKey
serverKey) throws KerberosException {
- Ticket newTicket = new Ticket();
- newTicket.setTicketVersionNumber(LocalConfig.TICKET_VNO);
+ KerberosPrincipal ticketPrincipal =
request.getServerPrincipal();
- newTicket.setServerName(request.getSname());
- newTicket.setRealm(request.getRealm());
+ EncTicketPartModifier newTicketBody = new
EncTicketPartModifier();
if(request.getKdcOptions().get(KdcOptions.FORWARDABLE))
- newTicket.getFlags().set(TicketFlags.FORWARDABLE);
+ newTicketBody.setFlag(TicketFlags.FORWARDABLE);
if(request.getKdcOptions().get(KdcOptions.PROXIABLE))
- newTicket.getFlags().set(TicketFlags.PROXIABLE);
+ newTicketBody.setFlag(TicketFlags.PROXIABLE);
if(request.getKdcOptions().get(KdcOptions.ALLOW_POSTDATE))
- newTicket.getFlags().set(TicketFlags.MAY_POSTDATE);
+ newTicketBody.setFlag(TicketFlags.MAY_POSTDATE);
if(request.getKdcOptions().get(KdcOptions.RENEW) ||
request.getKdcOptions().get(KdcOptions.VALIDATE) ||
@@ -135,20 +132,19 @@
request.getKdcOptions().get(KdcOptions.ENC_TKT_IN_SKEY))
throw KerberosException.KDC_ERR_BADOPTION;
- newTicket.setSessionKey(CryptoService.getNewSessionKey());
- newTicket.setClientName(request.getCname());
- newTicket.setClientRealm(request.getRealm());
- newTicket.setTransitedEncoding(new TransitedEncoding());
+ newTicketBody.setSessionKey(CryptoService.getNewSessionKey());
+ newTicketBody.setClientPrincipal(request.getClientPrincipal());
+ newTicketBody.setTransitedEncoding(new TransitedEncoding());
KerberosTime now = new KerberosTime();
- newTicket.setAuthtime(now);
+ newTicketBody.setAuthTime(now);
- if(request.getKdcOptions().get(KdcOptions.POSTDATED)) {
+ if (request.getKdcOptions().get(KdcOptions.POSTDATED)) {
// TODO - possibly allow req.from range
if (!LocalConfig.KDC_POSTDATE_ALLOWED)
throw KerberosException.KDC_ERR_POLICY;
- newTicket.setFlag(TicketFlags.INVALID);
- newTicket.setStartTime(request.getFrom());
+ newTicketBody.setFlag(TicketFlags.INVALID);
+ newTicketBody.setStartTime(request.getFrom());
}
long till = 0;
@@ -163,11 +159,12 @@
new_tkt.starttime+max_life_for_realm);
*/
long endTime = Math.min(now.getTime() +
LocalConfig.DEFAULT_MAXIMUM_TICKET_LIFETIME, till);
- newTicket.setEndTime(new KerberosTime(endTime));
+ KerberosTime kerberosEndTime = new KerberosTime(endTime);
+ newTicketBody.setEndTime(kerberosEndTime);
long tempRtime = 0;
if (request.getKdcOptions().get(KdcOptions.RENEWABLE_OK) &&
- request.getTill().greaterThan(newTicket.getEndTime())) {
+ request.getTill().greaterThan(kerberosEndTime)) {
request.getKdcOptions().set(KdcOptions.RENEWABLE);
tempRtime = request.getTill().getTime();
}
@@ -189,33 +186,41 @@
tempRtime = request.getRtime().getTime();
if (request.getKdcOptions().get(KdcOptions.RENEWABLE)) {
- newTicket.getFlags().set(TicketFlags.RENEWABLE);
- long renewTill =
Math.min(newTicket.getStartTime().getTime()
+ newTicketBody.setFlag(TicketFlags.RENEWABLE);
+ long renewTill = Math.min(request.getFrom().getTime()
+
LocalConfig.DEFAULT_MAXIMUM_RENEWABLE_LIFETIME, tempRtime);
- newTicket.setRenewTill(new KerberosTime(renewTill));
+ newTicketBody.setRenewTill(new KerberosTime(renewTill));
}
- if (request.getAddresses() != null)
- newTicket.setClientAddresses(request.getAddresses());
+ if (request.getAddresses() != null) {
+
newTicketBody.setClientAddresses(request.getAddresses());
+ }
+
+ EncTicketPart ticketPart = newTicketBody.getEncTicketPart();
+
+ EncryptedData encryptedData = encryptTicketPart(ticketPart,
serverKey);
+
+ Ticket newTicket = new Ticket(ticketPrincipal, encryptedData);
+ newTicket.setEncTicketPart(ticketPart);
+
return newTicket;
}
// TODO - support multiple encryption types
- private void encryptTicketPart(Ticket ticket, EncryptionKey serverKey) {
+ private EncryptedData encryptTicketPart(EncTicketPart ticketPart,
EncryptionKey serverKey) {
EncTicketPartEncoder encoder = new EncTicketPartEncoder();
-
+ EncryptedData encryptedTicketPart = null;
try {
- byte[] plainText = encoder.encode(ticket);
+ byte[] plainText = encoder.encode(ticketPart);
CryptoService enc = new CryptoService();
- EncryptedData cipherText =
enc.getEncryptedData(serverKey, plainText);
-
- ticket.setEncPart(cipherText);
+ encryptedTicketPart = enc.getEncryptedData(serverKey,
plainText);
} catch (Exception e) {
e.printStackTrace();
}
+ return encryptedTicketPart;
}
// TODO - support multiple encryption types
@@ -238,8 +243,7 @@
private AuthenticationReply getAuthenticationReply(KdcRequest request,
Ticket ticket) {
AuthenticationReply reply = new AuthenticationReply();
- reply.setCname(request.getCname());
- reply.setCrealm(request.getRealm());
+ reply.setClientPrincipal(request.getClientPrincipal());
reply.setTicket(ticket);
reply.setKey(ticket.getSessionKey());
@@ -250,15 +254,14 @@
reply.setNonce(request.getNonce());
reply.setFlags(ticket.getFlags());
- reply.setAuthTime(ticket.getAuthtime());
+ reply.setAuthTime(ticket.getAuthTime());
reply.setStartTime(ticket.getStartTime());
reply.setEndTime(ticket.getEndTime());
if (ticket.getFlags().get(TicketFlags.RENEWABLE))
reply.setRenewTill(ticket.getRenewTill());
- reply.setServerRealm(ticket.getRealm());
- reply.setServerName(ticket.getServerName());
+ reply.setServerPrincipal(ticket.getServerPrincipal());
reply.setClientAddresses(ticket.getClientAddresses());
return reply;
Modified:
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/DefaultConfig.java
==============================================================================
---
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/DefaultConfig.java
(original)
+++
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/DefaultConfig.java
Sat Oct 30 19:09:18 2004
@@ -24,16 +24,16 @@
public class DefaultConfig {
// Default inet port
- public static final int KDC_INET_DEFAULT_PORT = 88;
+ public static final int KDC_INET_DEFAULT_PORT = 88;
// Default server name
- public static final String TGS_DEFAULT_SRV_NAME = "krbtgt";
+ public static final String TGS_DEFAULT_SRV_NAME = "krbtgt";
// Default NT
- public static final int TGS_DEFAULT_NT =
PrincipalName.KRB_NT_SRV_INST;
+ public static final PrincipalNameType TGS_DEFAULT_NT =
PrincipalNameType.KRB_NT_SRV_INST;
- public static final ReplayCache REPLAY_CACHE = new
InMemoryReplayCache();
+ public static final ReplayCache REPLAY_CACHE = new
InMemoryReplayCache();
// Default encryption type
- public static final EncryptionType DEFAULT_ETYPE =
EncryptionType.DES_CBC_MD5;
+ public static final EncryptionType DEFAULT_ETYPE =
EncryptionType.DES_CBC_MD5;
// Default encryption type list
public static final EncryptionType[] DEFAULT_ETYPE_LIST = {
EncryptionType.DES_CBC_MD5,
@@ -94,12 +94,8 @@
// Protocol constants and associated values
// Kerberos protocol version number
public static final int PVNO = 5;
- // Authenticator version number
- public static final int AUTHENTICATOR_VNO = 5;
- // Ticket version number
- public static final int TICKET_VNO = 5;
// Default keytab version number
public static final int KT_VNO = Keytab.VNO_2;
-
+
}
Modified:
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/TicketGrantingService.java
==============================================================================
---
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/TicketGrantingService.java
(original)
+++
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/TicketGrantingService.java
Sat Oct 30 19:09:18 2004
@@ -30,6 +30,8 @@
import java.io.*;
import java.util.*;
+import javax.security.auth.kerberos.*;
+
/**
* RFC 1510 A.6. KRB_TGS_REQ verification and KRB_TGS_REP generation
*/
@@ -46,7 +48,7 @@
public TicketGrantReply getReplyFor(KdcRequest request) throws
KerberosException, IOException {
- System.out.println("Got request from " + request.getCname() +
"@" + request.getRealm());
+ System.out.println("Got request for " +
request.getServerPrincipal());
ApplicationRequest authHeader = getAuthHeader(request);
@@ -56,23 +58,13 @@
verifyTicket(authHeader, request);
- Realm realm = tgt.getRealm();
-
verifyBodyChecksum(authenticator.getChecksum(), request);
- EncryptionKey serverKey = getServerKey(request);
-
EncryptionKey sessionKey = CryptoService.getNewSessionKey();
EncryptionType eType =
CryptoService.getBestEncryptionType(request.getEType());
- Ticket newTicket = getNewTicket(request, tgt, realm,
sessionKey, authenticator);
-
- processTimes(request, newTicket, tgt);
-
- processTransited(newTicket, tgt);
-
- encryptTicketPart(newTicket, serverKey, request);
+ Ticket newTicket = getNewTicket(request, tgt, sessionKey,
authenticator);
TicketGrantReply reply = getReply(tgt, newTicket, sessionKey,
request);
@@ -121,14 +113,13 @@
if (authHeader.getOption(ApOptions.USE_SESSION_KEY)) {
serverKey = authHeader.getTicket().getSessionKey();
} else {
- PrincipalName server = tgt.getServerName();
- server.setRealm(tgt.getRealm());
- PrincipalStoreEntry serverEntry =
_bootstrap.getEntry(server);
+ KerberosPrincipal serverPrincipal =
tgt.getServerPrincipal();
+ PrincipalStoreEntry serverEntry =
_bootstrap.getEntry(serverPrincipal);
if (serverEntry != null) {
serverKey = serverEntry.getEncryptionKey();
} else {
System.out.println("Going to look up client");
- serverKey =
_store.getEntry(server).getEncryptionKey();
+ serverKey =
_store.getEntry(serverPrincipal).getEncryptionKey();
}
}
if (serverKey == null) {
@@ -161,9 +152,9 @@
throw KerberosException.KRB_AP_ERR_BAD_INTEGRITY;
}
- if (!authenticator.getClientName().equals(tgt.getClientName())
&&
-
!authenticator.getClientRealm().equals(tgt.getClientRealm()))
+ if
(!authenticator.getClientPrincipal().getName().equals(tgt.getClientPrincipal().getName()))
{
throw KerberosException.KRB_AP_ERR_BADMATCH;
+ }
// TODO - need to get at IP Address for sender
if (tgt.getClientAddresses() != null) {
@@ -175,13 +166,11 @@
// error_out(KRB_AP_ERR_BADADDR);
}
- if(_replayCache.isReplay(authenticator.getClientTime(),
authenticator.getClientName(),
- authenticator.getClientRealm())) {
+ if(_replayCache.isReplay(authenticator.getClientTime(),
authenticator.getClientPrincipal())) {
throw KerberosException.KRB_AP_ERR_REPEAT;
}
- _replayCache.save(authenticator.getClientTime(),
authenticator.getClientName(),
- authenticator.getClientRealm());
+ _replayCache.save(authenticator.getClientTime(),
authenticator.getClientPrincipal());
if (!authenticator.getClientTime().isInClockSkew())
throw KerberosException.KRB_AP_ERR_SKEW;
@@ -211,7 +200,7 @@
Ticket tgt = authHeader.getTicket();
if
(!tgt.getRealm().toString().equals(LocalConfig.KDC_PRIMARY_REALM) &&
- !tgt.getServerName().equals(request.getSname()))
+
!tgt.getServerPrincipal().equals(request.getServerPrincipal()))
throw KerberosException.KRB_AP_ERR_NOT_US;
}
@@ -256,15 +245,14 @@
EncryptionKey serverKey = null;
// TODO - allow lookup with realm
try {
- PrincipalName server = request.getSname();
- server.setRealm(request.getRealm());
- System.out.println(server);
- PrincipalStoreEntry serverEntry =
_bootstrap.getEntry(server);
+ KerberosPrincipal serverPrincipal =
request.getServerPrincipal();
+ System.out.println(serverPrincipal.getName());
+ PrincipalStoreEntry serverEntry =
_bootstrap.getEntry(serverPrincipal);
if (serverEntry != null) {
serverKey = serverEntry.getEncryptionKey();
} else {
System.out.println("Going to look up client");
- serverKey =
_store.getEntry(server).getEncryptionKey();
+ serverKey =
_store.getEntry(serverPrincipal).getEncryptionKey();
}
} catch (KerberosException ke) {
@@ -283,83 +271,89 @@
return serverKey;
}
- private Ticket getNewTicket(KdcRequest request, Ticket tgt,
- Realm realm, EncryptionKey sessionKey, Authenticator
authenticator)
- throws KerberosException {
+ private Ticket getNewTicket(KdcRequest request, Ticket tgt,
EncryptionKey sessionKey,
+ Authenticator authenticator) throws KerberosException {
+
+ KerberosPrincipal ticketPrincipal =
request.getServerPrincipal();
- Ticket newTicket = new Ticket();
- newTicket.setTicketVersionNumber(LocalConfig.TICKET_VNO);
- newTicket.setServerName(request.getSname());
- newTicket.setRealm(realm);
-
- /*
- * Note that local policy may affect the processing of any of
these flags.
- * For example, some realms may refuse to issue renewable
tickets
- */
- newTicket.setClientAddresses(tgt.getClientAddresses());
-
- processFlags(request, tgt, newTicket);
-
- newTicket.setSessionKey(sessionKey);
- newTicket.setClientRealm(tgt.getClientRealm());
- newTicket.setClientName(tgt.getClientName());
+ EncTicketPartModifier newTicketBody = new
EncTicketPartModifier();
+
+ newTicketBody.setClientAddresses(tgt.getClientAddresses());
+
+ processFlags(request, tgt, newTicketBody);
+
+ newTicketBody.setSessionKey(sessionKey);
+ newTicketBody.setClientPrincipal(tgt.getClientPrincipal());
AuthorizationData authData = processAuthorizationData(request,
authenticator, tgt);
- newTicket.setAuthorizationData(authData);
+ newTicketBody.setAuthorizationData(authData);
+
+ processTransited(newTicketBody, tgt);
+
+ processTimes(request, newTicketBody, tgt);
+
+ EncryptionKey serverKey = getServerKey(request);
+
+ EncTicketPart ticketPart = newTicketBody.getEncTicketPart();
+
+ EncryptedData encryptedData = encryptTicketPart(ticketPart,
serverKey, request);
+
+ Ticket newTicket = new Ticket(ticketPrincipal, encryptedData);
+ newTicket.setEncTicketPart(ticketPart);
return newTicket;
}
- private void processFlags(KdcRequest request, Ticket tgt, Ticket
newTicket)
+ private void processFlags(KdcRequest request, Ticket tgt,
EncTicketPartModifier newTicketBody)
throws KerberosException {
if (request.getOption(KdcOptions.FORWARDABLE)) {
if (!tgt.getFlag(TicketFlags.FORWARDABLE))
throw KerberosException.KDC_ERR_BADOPTION;
- newTicket.setFlag(TicketFlags.FORWARDABLE);
+ newTicketBody.setFlag(TicketFlags.FORWARDABLE);
}
if (request.getOption(KdcOptions.FORWARDED)) {
if (!tgt.getFlag(TicketFlags.FORWARDABLE))
throw KerberosException.KDC_ERR_BADOPTION;
- newTicket.setFlag(TicketFlags.FORWARDED);
- newTicket.setClientAddresses(request.getAddresses());
+ newTicketBody.setFlag(TicketFlags.FORWARDED);
+
newTicketBody.setClientAddresses(request.getAddresses());
//
reply.setClientAddresses(request.getClientAddresses()); moved to getReply
}
if (tgt.getFlag(TicketFlags.FORWARDED))
- newTicket.setFlag(TicketFlags.FORWARDED);
+ newTicketBody.setFlag(TicketFlags.FORWARDED);
if (request.getOption(KdcOptions.PROXIABLE)) {
if (!tgt.getFlag(TicketFlags.PROXIABLE))
throw KerberosException.KDC_ERR_BADOPTION;
- newTicket.setFlag(TicketFlags.PROXIABLE);
+ newTicketBody.setFlag(TicketFlags.PROXIABLE);
}
if (request.getOption(KdcOptions.PROXY)) {
if (!tgt.getFlag(TicketFlags.PROXIABLE))
throw KerberosException.KDC_ERR_BADOPTION;
- newTicket.setFlag(TicketFlags.PROXY);
- newTicket.setClientAddresses(request.getAddresses());
+ newTicketBody.setFlag(TicketFlags.PROXY);
+
newTicketBody.setClientAddresses(request.getAddresses());
//
reply.setClientAddresses(request.getClientAddresses()); moved to getReply
}
if (request.getOption(KdcOptions.ALLOW_POSTDATE)) {
if (!tgt.getFlag(TicketFlags.MAY_POSTDATE))
throw KerberosException.KDC_ERR_BADOPTION;
- newTicket.setFlag(TicketFlags.MAY_POSTDATE);
+ newTicketBody.setFlag(TicketFlags.MAY_POSTDATE);
}
if (request.getOption(KdcOptions.POSTDATED)) {
if (!tgt.getFlag(TicketFlags.MAY_POSTDATE))
throw KerberosException.KDC_ERR_BADOPTION;
- newTicket.setFlag(TicketFlags.POSTDATED);
- newTicket.setFlag(TicketFlags.INVALID);
+ newTicketBody.setFlag(TicketFlags.POSTDATED);
+ newTicketBody.setFlag(TicketFlags.INVALID);
if (!LocalConfig.KDC_POSTDATE_ALLOWED)
throw KerberosException.KDC_ERR_POLICY;
- newTicket.setStartTime(request.getFrom());
+ newTicketBody.setStartTime(request.getFrom());
}
if (request.getOption(KdcOptions.VALIDATE)) {
@@ -374,7 +368,7 @@
*/
// TODO - tkt = tgt;
- newTicket.clearFlag(TicketFlags.INVALID);
+ newTicketBody.clearFlag(TicketFlags.INVALID);
}
if (request.getOption(KdcOptions.RESERVED) ||
@@ -383,12 +377,14 @@
throw KerberosException.KRB_AP_ERR_TKT_NYV;
}
- private void processTimes(KdcRequest request, Ticket newTicket, Ticket
tgt)
+ private void processTimes(KdcRequest request, EncTicketPartModifier
newTicketBody, Ticket tgt)
throws KerberosException {
KerberosTime now = new KerberosTime();
- newTicket.setAuthtime(tgt.getAuthtime());
+ newTicketBody.setAuthTime(tgt.getAuthTime());
+
+ KerberosTime renewalTime = null;
if (request.getOption(KdcOptions.RENEW)) {
/*
@@ -400,13 +396,21 @@
if (tgt.getRenewTill().greaterThan(now))
throw KerberosException.KRB_AP_ERR_TKT_EXPIRED;
- newTicket = tgt;
+
newTicketBody.setAuthorizationData(tgt.getAuthorizationData());
+ newTicketBody.setAuthTime(tgt.getAuthTime());
+
newTicketBody.setClientAddresses(tgt.getClientAddresses());
+
newTicketBody.setClientPrincipal(tgt.getClientPrincipal());
+ newTicketBody.setEndTime(tgt.getEndTime());
+ newTicketBody.setFlags(tgt.getFlags());
+ newTicketBody.setRenewTill(tgt.getRenewTill());
+ newTicketBody.setSessionKey(tgt.getSessionKey());
+
newTicketBody.setTransitedEncoding(tgt.getTransitedEncoding());
- newTicket.setStartTime(now);
+ newTicketBody.setStartTime(now);
long oldLife = tgt.getEndTime().getTime() -
tgt.getStartTime().getTime();
- newTicket.setEndTime(new
KerberosTime(Math.min(tgt.getRenewTill().getTime(),
newTicket.getStartTime().getTime() + oldLife)));
+ newTicketBody.setEndTime(new
KerberosTime(Math.min(tgt.getRenewTill().getTime(), now.getTime() + oldLife)));
} else {
- newTicket.setStartTime(now);
+ newTicketBody.setStartTime(now);
KerberosTime till;
if (request.getTill().isZero())
till = KerberosTime.INFINITY;
@@ -420,29 +424,34 @@
*/
List minimizer = new ArrayList();
minimizer.add(till);
- minimizer.add(new
KerberosTime(newTicket.getStartTime().getTime() +
LocalConfig.KDC_MAXIMUM_TICKET_LIFETIME));
+ minimizer.add(new KerberosTime(now.getTime() +
LocalConfig.KDC_MAXIMUM_TICKET_LIFETIME));
minimizer.add(tgt.getEndTime());
-
newTicket.setEndTime((KerberosTime)Collections.min(minimizer));
+ KerberosTime minTime =
(KerberosTime)Collections.min(minimizer);
+ newTicketBody.setEndTime(minTime);
if (request.getOption(KdcOptions.RENEWABLE_OK) &&
-
newTicket.getEndTime().lessThan(request.getTill()) &&
+ minTime.lessThan(request.getTill()) &&
tgt.getFlag(TicketFlags.RENEWABLE)) {
// we set the RENEWABLE option for later processing
request.setOption(KdcOptions.RENEWABLE);
long rtime =
Math.min(request.getTill().getTime(), tgt.getRenewTill().getTime());
- request.setRtime(new KerberosTime(rtime));
+ renewalTime = new KerberosTime(rtime);
}
}
+ if (renewalTime == null) {
+ renewalTime = request.getRtime();
+ }
+
KerberosTime rtime;
- if (request.getRtime() != null && request.getRtime().isZero())
+ if (renewalTime != null && renewalTime.isZero())
rtime = KerberosTime.INFINITY;
else
- rtime = request.getRtime();
+ rtime = renewalTime;
if (request.getOption(KdcOptions.RENEWABLE) &&
tgt.getFlag(TicketFlags.RENEWABLE)) {
- newTicket.setFlag(TicketFlags.RENEWABLE);
+ newTicketBody.setFlag(TicketFlags.RENEWABLE);
/*
new_tkt.starttime+client.max_rlife,
@@ -451,9 +460,9 @@
// TODO - client and server configurable; requires
store
List minimizer = new ArrayList();
minimizer.add(rtime);
- minimizer.add(new
KerberosTime(newTicket.getStartTime().getTime() +
LocalConfig.DEFAULT_MAXIMUM_RENEWABLE_LIFETIME));
+ minimizer.add(new KerberosTime(now.getTime() +
LocalConfig.DEFAULT_MAXIMUM_RENEWABLE_LIFETIME));
minimizer.add(tgt.getRenewTill());
-
newTicket.setRenewTill((KerberosTime)Collections.min(minimizer));
+
newTicketBody.setRenewTill((KerberosTime)Collections.min(minimizer));
}
}
@@ -494,20 +503,19 @@
new_tkt.transited := compress_transited(tgt.transited +
tgt.realm)
endif
*/
- private void processTransited(Ticket newTicket, Ticket tgt) {
+ private void processTransited(EncTicketPartModifier newTicketBody,
Ticket tgt) {
// TODO - currently no transited support other than local
- newTicket.setTransitedEncoding(tgt.getTransitedEncoding());
+ newTicketBody.setTransitedEncoding(tgt.getTransitedEncoding());
}
- // TODO - support multiple encryption types, this is hardwired for
DES_CBC_MD5
- private void encryptTicketPart(Ticket newTicket, EncryptionKey
serverKey, KdcRequest request)
- throws KerberosException {
+ private EncryptedData encryptTicketPart(EncTicketPart newTicketBody,
EncryptionKey serverKey,
+ KdcRequest request) throws KerberosException {
byte[] encodedTicket;
EncTicketPartEncoder encoder = new EncTicketPartEncoder();
try {
- encodedTicket = encoder.encode(newTicket);
+ encodedTicket = encoder.encode(newTicketBody);
} catch (IOException ioe) {
// TODO - figure out right error for ASN.1 generation
error
throw KerberosException.KRB_ERR_GENERIC;
@@ -528,11 +536,9 @@
using etype_for_key(second-ticket.key),
second-ticket.key;
*/
} else {
-
- EncryptedData cipherText =
enc.getEncryptedData(serverKey, encodedTicket);
-
- newTicket.setEncPart(cipherText);
+ // encrypt with serverKey
}
+ return enc.getEncryptedData(serverKey, encodedTicket);
}
// TODO - support multiple encryption types, this is hardwired for
DES_CBC_MD5
@@ -556,8 +562,7 @@
EncryptionKey sessionKey, KdcRequest request) {
TicketGrantReply reply = new TicketGrantReply();
- reply.setCrealm(tgt.getClientRealm());
- reply.setCname(tgt.getClientName());
+ reply.setClientPrincipal(tgt.getClientPrincipal());
reply.setTicket(newTicket);
reply.setKey(sessionKey);
reply.setNonce(request.getNonce());
@@ -565,11 +570,10 @@
reply.setLastRequest(new LastRequest());
reply.setFlags(newTicket.getFlags());
reply.setClientAddresses(newTicket.getClientAddresses());
- reply.setAuthTime(newTicket.getAuthtime());
+ reply.setAuthTime(newTicket.getAuthTime());
reply.setStartTime(newTicket.getStartTime());
reply.setEndTime(newTicket.getEndTime());
- reply.setServerName(newTicket.getServerName());
- reply.setServerRealm(newTicket.getRealm());
+ reply.setServerPrincipal(newTicket.getServerPrincipal());
if (newTicket.getFlag(TicketFlags.RENEWABLE))
reply.setRenewTill(newTicket.getRenewTill());
