Author: erodriguez
Date: Tue Nov 9 21:19:42 2004
New Revision: 57141
Added:
incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/kdc/KerberosService.java
Modified:
incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/changepw/ChangePasswordService.java
incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/kdc/AuthenticationService.java
incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/kdc/TicketGrantingService.java
Log:
Added new KerberosService and started moving common service functionality to
it. Want to check it in before upcoming major refactoring move.
Modified:
incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/changepw/ChangePasswordService.java
==============================================================================
---
incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/changepw/ChangePasswordService.java
(original)
+++
incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/changepw/ChangePasswordService.java
Tue Nov 9 21:19:42 2004
@@ -16,45 +16,54 @@
*/
package org.apache.kerberos.changepw;
-import org.apache.kerberos.changepw.io.*;
-import org.apache.kerberos.changepw.messages.*;
-import org.apache.kerberos.changepw.store.*;
-import org.apache.kerberos.changepw.value.*;
-import org.apache.kerberos.crypto.*;
-import org.apache.kerberos.io.decoder.*;
-import org.apache.kerberos.io.encoder.*;
-import org.apache.kerberos.kdc.*;
-import org.apache.kerberos.kdc.store.*;
-import org.apache.kerberos.messages.*;
-import org.apache.kerberos.messages.application.*;
+import org.apache.kerberos.changepw.io.ChangePasswordDataDecoder;
+import org.apache.kerberos.changepw.messages.ChangePasswordReply;
+import org.apache.kerberos.changepw.messages.ChangePasswordReplyModifier;
+import org.apache.kerberos.changepw.messages.ChangePasswordRequest;
+import org.apache.kerberos.changepw.store.PasswordStore;
+import org.apache.kerberos.changepw.value.ChangePasswordData;
+import org.apache.kerberos.changepw.value.ChangePasswordDataModifier;
+import org.apache.kerberos.crypto.encryption.EncryptionEngine;
+import org.apache.kerberos.io.decoder.AuthenticatorDecoder;
+import org.apache.kerberos.io.decoder.EncKrbPrivPartDecoder;
+import org.apache.kerberos.io.decoder.EncTicketPartDecoder;
+import org.apache.kerberos.io.encoder.EncApRepPartEncoder;
+import org.apache.kerberos.io.encoder.EncKrbPrivPartEncoder;
+import org.apache.kerberos.kdc.KdcConfiguration;
+import org.apache.kerberos.kdc.KerberosException;
+import org.apache.kerberos.kdc.KerberosService;
+import org.apache.kerberos.kdc.store.PrincipalStore;
+import org.apache.kerberos.kdc.store.PrincipalStoreEntry;
+import org.apache.kerberos.messages.ApplicationRequest;
+import org.apache.kerberos.messages.MessageType;
+import org.apache.kerberos.messages.application.ApplicationReply;
+import org.apache.kerberos.messages.application.PrivateMessage;
import org.apache.kerberos.messages.components.*;
-import org.apache.kerberos.messages.components.Authenticator;
import org.apache.kerberos.messages.value.*;
-import java.io.*;
-import java.net.*;
-
-import javax.security.auth.kerberos.*;
+import javax.security.auth.kerberos.KerberosKey;
+import javax.security.auth.kerberos.KerberosPrincipal;
+import java.io.IOException;
+import java.net.InetAddress;
/**
* Kerberos Change Password and Set Password Protocols (RFC 3244)
*/
-public class ChangePasswordService {
+public class ChangePasswordService extends KerberosService {
- private PasswordStore _store;
- private PrincipalStore _bootstrap;
- private CryptoService _cryptoService;
- private KdcConfiguration _config;
+ private PasswordStore store;
+ private PrincipalStore bootstrap;
+ private KdcConfiguration config;
- public ChangePasswordService(PasswordStore store, PrincipalStore
bootstrap,
- CryptoService cryptoService, KdcConfiguration config) {
-
- _store = store;
- _bootstrap = bootstrap;
- _cryptoService = cryptoService;
- _config = config;
+ public ChangePasswordService(PasswordStore store, PrincipalStore
bootstrap, KdcConfiguration config)
+ {
+ super(config, bootstrap, null);
+
+ this.store = store;
+ this.bootstrap = bootstrap;
+ this.config = config;
}
-
+
public ChangePasswordReply getReplyFor(ChangePasswordRequest request)
throws KerberosException, IOException {
@@ -64,21 +73,23 @@
Authenticator authenticator = verifyAuthHeader(authHeader,
ticket);
- verifyTicket(ticket, _config.getChangepwPrincipal());
+ verifyTicket(ticket, config.getChangepwPrincipal());
// TODO - check ticket is for service authorized to change
passwords
- //
ticket.getServerPrincipal().getName().equals(_config.getChangepwPrincipal().getName()));
+ //
ticket.getServerPrincipal().getName().equals(config.getChangepwPrincipal().getName()));
// TODO - check client principal in ticket is authorized to
change password
// get the subsession key from the Authenticator
EncryptionKey sessionKey = authenticator.getSubSessionKey();
- // decrypt the request's private message with the subsession key
+ // getDecryptedData the request's private message with the
subsession key
EncryptedData encReqPrivPart =
request.getPrivateMessage().getEncryptedPart();
EncKrbPrivPart privatePart;
try {
- byte[] decPrivPart = _cryptoService.decrypt(sessionKey,
encReqPrivPart);
+ EncryptionEngine engine = getEncryptionEngine(sessionKey);
+
+ byte[] decPrivPart =
engine.getDecryptedData(sessionKey, encReqPrivPart);
EncKrbPrivPartDecoder privDecoder = new
EncKrbPrivPartDecoder();
privatePart = privDecoder.decode(decPrivPart);
@@ -110,7 +121,7 @@
KerberosKey newKey = new KerberosKey(clientPrincipal,
password.toCharArray(), "DES");
// store password in database
- String principalName = _store.changePassword(clientPrincipal,
newKey.getEncoded());
+ String principalName = store.changePassword(clientPrincipal,
newKey.getEncoded());
System.out.println("Successfully modified principal named " +
principalName);
// begin building reply
@@ -129,7 +140,9 @@
EncryptedData encPrivPart = null;
try {
- encPrivPart =
_cryptoService.getEncryptedData(sessionKey, encodedPrivPart);
+ EncryptionEngine engine = getEncryptionEngine(sessionKey);
+
+ encPrivPart = engine.getEncryptedData(sessionKey,
encodedPrivPart);
} catch (KerberosException ke) {
ke.printStackTrace();
}
@@ -148,7 +161,9 @@
EncryptedData encRepPart = null;
try {
- encRepPart =
_cryptoService.getEncryptedData(ticket.getSessionKey(), encodedRepPart);
+ EncryptionEngine engine =
getEncryptionEngine(ticket.getSessionKey());
+
+ encRepPart =
engine.getEncryptedData(ticket.getSessionKey(), encodedRepPart);
} catch (KerberosException ke) {
ke.printStackTrace();
}
@@ -176,19 +191,18 @@
if (authHeader.getTicket().getTicketVersionNumber() != 5)
throw KerberosException.KRB_AP_ERR_BADVERSION;
- // TODO - support multiple encryption types
EncryptionKey serverKey = null;
if (authHeader.getOption(ApOptions.USE_SESSION_KEY)) {
serverKey = authHeader.getTicket().getSessionKey();
} else {
KerberosPrincipal serverPrincipal =
ticket.getServerPrincipal();
- PrincipalStoreEntry serverEntry =
_bootstrap.getEntry(serverPrincipal);
+ PrincipalStoreEntry serverEntry =
bootstrap.getEntry(serverPrincipal);
if (serverEntry != null) {
serverKey = serverEntry.getEncryptionKey();
}/*
else {
- serverKey =
_store.getEntry(serverPrincipal).getEncryptionKey();
+ serverKey =
store.getEntry(serverPrincipal).getEncryptionKey();
}
*/
}
@@ -201,7 +215,9 @@
}
try {
- byte[] decTicketPart =
_cryptoService.decrypt(serverKey, ticket.getEncPart());
+ EncryptionEngine engine = getEncryptionEngine(serverKey);
+
+ byte[] decTicketPart =
engine.getDecryptedData(serverKey, ticket.getEncPart());
EncTicketPartDecoder ticketPartDecoder = new
EncTicketPartDecoder();
EncTicketPart encPart =
ticketPartDecoder.decode(decTicketPart);
@@ -213,7 +229,9 @@
Authenticator authenticator;
try {
- byte[] decAuthenticator =
_cryptoService.decrypt(ticket.getSessionKey(), authHeader.getEncPart());
+ EncryptionEngine engine =
getEncryptionEngine(ticket.getSessionKey());
+
+ byte[] decAuthenticator =
engine.getDecryptedData(ticket.getSessionKey(), authHeader.getEncPart());
AuthenticatorDecoder authDecoder = new
AuthenticatorDecoder();
authenticator = authDecoder.decode(decAuthenticator);
} catch (KerberosException ke) {
@@ -242,10 +260,10 @@
_replayCache.save(authenticator.getClientTime(),
authenticator.getClientPrincipal());
*/
- if
(!authenticator.getClientTime().isInClockSkew(_config.getClockSkew()))
+ if
(!authenticator.getClientTime().isInClockSkew(config.getClockSkew()))
throw KerberosException.KRB_AP_ERR_SKEW;
- if (ticket.getStartTime() != null &&
!ticket.getStartTime().isInClockSkew(_config.getClockSkew()) ||
+ if (ticket.getStartTime() != null &&
!ticket.getStartTime().isInClockSkew(config.getClockSkew()) ||
ticket.getFlag(TicketFlags.INVALID))
// it hasn't yet become valid
throw KerberosException.KRB_AP_ERR_TKT_NYV;
@@ -257,15 +275,6 @@
authHeader.setOption(ApOptions.MUTUAL_REQUIRED);
return authenticator;
- }
-
- // TODO - this is a duplicate from the TGS service
- private void verifyTicket(Ticket ticket, KerberosPrincipal
serverPrincipal)
- throws KerberosException {
-
- if (!ticket.getRealm().equals(_config.getPrimaryRealm())
- &&
!ticket.getServerPrincipal().equals(serverPrincipal))
- throw KerberosException.KRB_AP_ERR_NOT_US;
}
}
Modified:
incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/kdc/AuthenticationService.java
==============================================================================
---
incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/kdc/AuthenticationService.java
(original)
+++
incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/kdc/AuthenticationService.java
Tue Nov 9 21:19:42 2004
@@ -16,67 +16,51 @@
*/
package org.apache.kerberos.kdc;
-import org.apache.kerberos.crypto.*;
-import org.apache.kerberos.io.encoder.*;
-import org.apache.kerberos.kdc.store.*;
-import org.apache.kerberos.messages.*;
-import org.apache.kerberos.messages.components.*;
+import org.apache.kerberos.crypto.RandomKey;
+import org.apache.kerberos.crypto.encryption.EncryptionEngine;
+import org.apache.kerberos.io.encoder.EncAsRepPartEncoder;
+import org.apache.kerberos.io.encoder.EncTicketPartEncoder;
+import org.apache.kerberos.kdc.store.PrincipalStore;
+import org.apache.kerberos.messages.AuthenticationReply;
+import org.apache.kerberos.messages.KdcRequest;
+import org.apache.kerberos.messages.components.EncTicketPart;
+import org.apache.kerberos.messages.components.EncTicketPartModifier;
+import org.apache.kerberos.messages.components.Ticket;
import org.apache.kerberos.messages.value.*;
-import javax.security.auth.kerberos.*;
+import javax.security.auth.kerberos.KerberosPrincipal;
-public class AuthenticationService {
+public class AuthenticationService extends KerberosService {
- private PrincipalStore _store;
- private PrincipalStore _bootstrap;
- private CryptoService _cryptoService;
- private KdcConfiguration _config;
-
- public AuthenticationService(PrincipalStore store, PrincipalStore
bootstrap,
- CryptoService cryptoService, KdcConfiguration config) {
-
- _store = store;
- _bootstrap = bootstrap;
- _cryptoService = cryptoService;
- _config = config;
- }
+ private KdcConfiguration config;
+ public AuthenticationService(PrincipalStore store, PrincipalStore
bootstrap, KdcConfiguration config)
+ {
+ super(config, bootstrap, store);
+
+ this.config = config;
+ }
+
public AuthenticationReply getReplyFor(KdcRequest request) throws
KerberosException {
KerberosPrincipal clientPrincipal =
request.getClientPrincipal();
- System.out.println(clientPrincipal.getName());
+ EncryptionKey clientKey = getKeyForPrincipal(clientPrincipal);
+
+ if (clientKey == null)
+ {
+ throw KerberosException.KDC_ERR_C_PRINCIPAL_UNKNOWN;
+ }
- EncryptionKey clientKey;
- try {
- PrincipalStoreEntry clientEntry =
_bootstrap.getEntry(clientPrincipal);
- if (clientEntry != null) {
- clientKey = clientEntry.getEncryptionKey();
- } else {
- clientKey =
_store.getEntry(clientPrincipal).getEncryptionKey();
- }
- } catch (Exception e) {
- e.printStackTrace();
- throw KerberosException.KDC_ERR_C_PRINCIPAL_UNKNOWN;
- }
-
KerberosPrincipal serverPrincipal =
request.getServerPrincipal();
- System.out.println(serverPrincipal.getName());
+ EncryptionKey serverKey = getKeyForPrincipal(serverPrincipal);
+
+ if (serverKey == null)
+ {
+ throw KerberosException.KDC_ERR_S_PRINCIPAL_UNKNOWN;
+ }
- EncryptionKey serverKey;
- try {
- PrincipalStoreEntry serverEntry =
_bootstrap.getEntry(serverPrincipal);
- if (serverEntry != null) {
- serverKey = serverEntry.getEncryptionKey();
- } else {
- serverKey =
_store.getEntry(serverPrincipal).getEncryptionKey();
- }
- } catch (Exception e) {
- e.printStackTrace();
- throw KerberosException.KDC_ERR_S_PRINCIPAL_UNKNOWN;
- }
-
verifyPreAuthentication(request, clientPrincipal);
Ticket ticket = getNewTicket(request, serverKey);
@@ -100,7 +84,7 @@
/*
if(pa_enc_timestamp present) then
- decrypt req.padata-value into decrypted_enc_timestamp
+ getDecryptedData req.padata-value into
decrypted_enc_timestamp
using client.key;
using auth_hdr.authenticator.subkey;
if (decrypt_error()) then
@@ -149,7 +133,7 @@
request.getKdcOptions().get(KdcOptions.ENC_TKT_IN_SKEY))
throw KerberosException.KDC_ERR_BADOPTION;
- newTicketBody.setSessionKey(_cryptoService.getNewSessionKey());
+ newTicketBody.setSessionKey(new RandomKey().getNewSessionKey());
newTicketBody.setClientPrincipal(request.getClientPrincipal());
newTicketBody.setTransitedEncoding(new TransitedEncoding());
@@ -158,7 +142,7 @@
if (request.getKdcOptions().get(KdcOptions.POSTDATED)) {
// TODO - possibly allow req.from range
- if (!_config.isPostdateAllowed())
+ if (!config.isPostdateAllowed())
throw KerberosException.KDC_ERR_POLICY;
newTicketBody.setFlag(TicketFlags.INVALID);
newTicketBody.setStartTime(request.getFrom());
@@ -175,7 +159,7 @@
new_tkt.starttime+server.max_life,
new_tkt.starttime+max_life_for_realm);
*/
- long endTime = Math.min(now.getTime() +
_config.getMaximumTicketLifetime(), till);
+ long endTime = Math.min(now.getTime() +
config.getMaximumTicketLifetime(), till);
KerberosTime kerberosEndTime = new KerberosTime(endTime);
newTicketBody.setEndTime(kerberosEndTime);
@@ -205,7 +189,7 @@
if (request.getKdcOptions().get(KdcOptions.RENEWABLE)) {
newTicketBody.setFlag(TicketFlags.RENEWABLE);
long renewTill = Math.min(request.getFrom().getTime()
- +
_config.getMaximumRenewableLifetime(), tempRtime);
+ + config.getMaximumRenewableLifetime(),
tempRtime);
newTicketBody.setRenewTill(new KerberosTime(renewTill));
}
@@ -223,14 +207,15 @@
return newTicket;
}
- // TODO - support multiple encryption types
private EncryptedData encryptTicketPart(EncTicketPart ticketPart,
EncryptionKey serverKey) {
EncTicketPartEncoder encoder = new EncTicketPartEncoder();
EncryptedData encryptedTicketPart = null;
try {
byte[] plainText = encoder.encode(ticketPart);
-
- encryptedTicketPart =
_cryptoService.getEncryptedData(serverKey, plainText);
+
+ EncryptionEngine engine = getEncryptionEngine(serverKey);
+
+ encryptedTicketPart =
engine.getEncryptedData(serverKey, plainText);
} catch (Exception e) {
e.printStackTrace();
@@ -238,13 +223,14 @@
return encryptedTicketPart;
}
- // TODO - support multiple encryption types
private void encryptReplyPart(AuthenticationReply reply, EncryptionKey
clientKey) {
EncAsRepPartEncoder encoder = new EncAsRepPartEncoder();
try {
byte[] plainText = encoder.encode(reply);
-
- EncryptedData cipherText =
_cryptoService.getEncryptedData(clientKey, plainText);
+
+ EncryptionEngine engine = getEncryptionEngine(clientKey);
+
+ EncryptedData cipherText =
engine.getEncryptedData(clientKey, plainText);
reply.setEncPart(cipherText);
Added:
incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/kdc/KerberosService.java
==============================================================================
--- (empty file)
+++
incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/kdc/KerberosService.java
Tue Nov 9 21:19:42 2004
@@ -0,0 +1,108 @@
+/*
+ * Copyright 2004 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package org.apache.kerberos.kdc;
+
+import org.apache.kerberos.crypto.checksum.*;
+import org.apache.kerberos.crypto.encryption.DesCbcMd5Encryption;
+import org.apache.kerberos.crypto.encryption.EncryptionEngine;
+import org.apache.kerberos.crypto.encryption.EncryptionType;
+import org.apache.kerberos.kdc.store.PrincipalStore;
+import org.apache.kerberos.kdc.store.PrincipalStoreEntry;
+import org.apache.kerberos.messages.components.Ticket;
+import org.apache.kerberos.messages.value.EncryptionKey;
+
+import javax.security.auth.kerberos.KerberosPrincipal;
+import java.util.HashMap;
+import java.util.Map;
+
+public class KerberosService
+{
+ private KdcConfiguration config;
+ private PrincipalStore bootstrap;
+ private PrincipalStore store;
+
+ private Map checksumEngines = new HashMap();
+
+ public KerberosService(KdcConfiguration config, PrincipalStore bootstrap,
PrincipalStore store)
+ {
+ this.config = config;
+ this.bootstrap = bootstrap;
+ this.store = store;
+
+ checksumEngines.put(ChecksumType.CRC32, new Crc32Checksum());
+ checksumEngines.put(ChecksumType.RSA_MD4, new RsaMd4Checksum());
+ checksumEngines.put(ChecksumType.RSA_MD5, new RsaMd5Checksum());
+ checksumEngines.put(ChecksumType.SHA1, new Sha1Checksum());
+ }
+
+ public EncryptionKey getKeyForPrincipal(KerberosPrincipal principal)
+ {
+ System.out.println(principal.getName());
+
+ EncryptionKey key = null;
+
+ try {
+ PrincipalStoreEntry entry =
bootstrap.getEntry(principal);
+ if (entry != null) {
+ key = entry.getEncryptionKey();
+ } else {
+ key =
store.getEntry(principal).getEncryptionKey();
+ }
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+
+ return key;
+ }
+
+ public EncryptionEngine getEncryptionEngine(EncryptionKey key)
+ throws KerberosException
+ {
+ int type = key.getKeyType().getOrdinal();
+
+ switch (type)
+ {
+ case 3:
+ return new DesCbcMd5Encryption();
+ }
+
+ throw KerberosException.KDC_ERR_ETYPE_NOSUPP;
+ }
+
+ protected EncryptionType getBestEncryptionType(EncryptionType[]
requestedTypes)
+ throws KerberosException
+ {
+ EncryptionType[] encryptionTypes = config.getEncryptionTypes();
+
+ for (int i = 0; i < requestedTypes.length; i++) {
+ for (int j = 0; j < encryptionTypes.length; j++) {
+ if (requestedTypes[i] == encryptionTypes[j])
+ return encryptionTypes[j];
+ }
+ }
+ throw KerberosException.KDC_ERR_ETYPE_NOSUPP;
+ }
+
+ protected void verifyTicket(Ticket ticket, KerberosPrincipal
serverPrincipal)
+ throws KerberosException {
+
+ if (!ticket.getRealm().equals(config.getPrimaryRealm())
+ &&
!ticket.getServerPrincipal().equals(serverPrincipal))
+ throw KerberosException.KRB_AP_ERR_NOT_US;
+ }
+}
+
Modified:
incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/kdc/TicketGrantingService.java
==============================================================================
---
incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/kdc/TicketGrantingService.java
(original)
+++
incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/kdc/TicketGrantingService.java
Tue Nov 9 21:19:42 2004
@@ -16,9 +16,10 @@
*/
package org.apache.kerberos.kdc;
-import org.apache.kerberos.crypto.CryptoService;
+import org.apache.kerberos.crypto.RandomKey;
import org.apache.kerberos.crypto.checksum.ChecksumEngine;
-import org.apache.kerberos.crypto.checksum.ChecksumType;
+import org.apache.kerberos.crypto.checksum.RsaMd5Checksum;
+import org.apache.kerberos.crypto.encryption.EncryptionEngine;
import org.apache.kerberos.crypto.encryption.EncryptionType;
import org.apache.kerberos.io.decoder.ApplicationRequestDecoder;
import org.apache.kerberos.io.decoder.AuthenticatorDecoder;
@@ -29,7 +30,6 @@
import org.apache.kerberos.io.encoder.KdcReqBodyEncoder;
import org.apache.kerberos.kdc.replay.ReplayCache;
import org.apache.kerberos.kdc.store.PrincipalStore;
-import org.apache.kerberos.kdc.store.PrincipalStoreEntry;
import org.apache.kerberos.messages.ApplicationRequest;
import org.apache.kerberos.messages.KdcRequest;
import org.apache.kerberos.messages.MessageType;
@@ -49,22 +49,18 @@
/**
* RFC 1510 A.6. KRB_TGS_REQ verification and KRB_TGS_REP generation
*/
-public class TicketGrantingService {
-
- private PrincipalStore _store;
- private PrincipalStore _bootstrap;
- private CryptoService _cryptoService;
- private KdcConfiguration _config;
- private ReplayCache _replayCache;
+public class TicketGrantingService extends KerberosService {
+ private KdcConfiguration config;
+ private ReplayCache replayCache;
+
public TicketGrantingService(PrincipalStore store, PrincipalStore
bootstrap,
- CryptoService cryptoService, KdcConfiguration config,
ReplayCache replay) {
-
- _store = store;
- _bootstrap = bootstrap;
- _cryptoService = cryptoService;
- _config = config;
- _replayCache = replay;
+ KdcConfiguration config, ReplayCache replay)
+ {
+ super(config, bootstrap, store);
+
+ this.config = config;
+ replayCache = replay;
}
public TicketGrantReply getReplyFor(KdcRequest request) throws
KerberosException, IOException {
@@ -79,7 +75,7 @@
verifyBodyChecksum(authenticator.getChecksum(), request);
- EncryptionKey sessionKey = _cryptoService.getNewSessionKey();
+ EncryptionKey sessionKey = new RandomKey().getNewSessionKey();
EncryptionType eType =
getBestEncryptionType(request.getEType());
@@ -119,21 +115,22 @@
throw KerberosException.KRB_AP_ERR_MSG_TYPE;
if (authHeader.getTicket().getTicketVersionNumber() != 5)
throw KerberosException.KRB_AP_ERR_BADVERSION;
-
- // TODO - support multiple encryption types
+
+ KerberosPrincipal serverPrincipal = ticket.getServerPrincipal();
+
EncryptionKey serverKey = null;
- if (authHeader.getOption(ApOptions.USE_SESSION_KEY)) {
+
+ if (authHeader.getOption(ApOptions.USE_SESSION_KEY))
+ {
serverKey = authHeader.getTicket().getSessionKey();
- } else {
- KerberosPrincipal serverPrincipal =
ticket.getServerPrincipal();
- PrincipalStoreEntry serverEntry =
_bootstrap.getEntry(serverPrincipal);
- if (serverEntry != null) {
- serverKey = serverEntry.getEncryptionKey();
- } else {
- serverKey =
_store.getEntry(serverPrincipal).getEncryptionKey();
- }
}
- if (serverKey == null) {
+ else
+ {
+ serverKey = getKeyForPrincipal(serverPrincipal);
+ }
+
+ if (serverKey == null)
+ {
// TODO - check server key version number, skvno;
requires store
if (false)
throw KerberosException.KRB_AP_ERR_BADKEYVER;
@@ -142,7 +139,9 @@
}
try {
- byte[] decTicketPart =
_cryptoService.decrypt(serverKey, ticket.getEncPart());
+ EncryptionEngine engine = getEncryptionEngine(serverKey);
+
+ byte[] decTicketPart =
engine.getDecryptedData(serverKey, ticket.getEncPart());
EncTicketPartDecoder ticketPartDecoder = new
EncTicketPartDecoder();
EncTicketPart encPart =
ticketPartDecoder.decode(decTicketPart);
@@ -154,7 +153,9 @@
Authenticator authenticator;
try {
- byte[] decAuthenticator =
_cryptoService.decrypt(ticket.getSessionKey(), authHeader.getEncPart());
+ EncryptionEngine engine =
getEncryptionEngine(ticket.getSessionKey());
+
+ byte[] decAuthenticator =
engine.getDecryptedData(ticket.getSessionKey(), authHeader.getEncPart());
AuthenticatorDecoder authDecoder = new
AuthenticatorDecoder();
authenticator = authDecoder.decode(decAuthenticator);
} catch (KerberosException ke) {
@@ -175,16 +176,16 @@
// error_out(KRB_AP_ERR_BADADDR);
}
- if(_replayCache.isReplay(authenticator.getClientTime(),
authenticator.getClientPrincipal())) {
+ if(replayCache.isReplay(authenticator.getClientTime(),
authenticator.getClientPrincipal())) {
throw KerberosException.KRB_AP_ERR_REPEAT;
}
- _replayCache.save(authenticator.getClientTime(),
authenticator.getClientPrincipal());
+ replayCache.save(authenticator.getClientTime(),
authenticator.getClientPrincipal());
- if
(!authenticator.getClientTime().isInClockSkew(_config.getClockSkew()))
+ if
(!authenticator.getClientTime().isInClockSkew(config.getClockSkew()))
throw KerberosException.KRB_AP_ERR_SKEW;
- if (ticket.getStartTime() != null &&
!ticket.getStartTime().isInClockSkew(_config.getClockSkew()) ||
+ if (ticket.getStartTime() != null &&
!ticket.getStartTime().isInClockSkew(config.getClockSkew()) ||
ticket.getFlag(TicketFlags.INVALID))
// it hasn't yet become valid
throw KerberosException.KRB_AP_ERR_TKT_NYV;
@@ -198,14 +199,6 @@
return authenticator;
}
- private void verifyTicket( Ticket ticket, KerberosPrincipal
serverPrincipal )
- throws KerberosException
- {
- if (!ticket.getRealm().equals(_config.getPrimaryRealm()) &&
-
!ticket.getServerPrincipal().equals(serverPrincipal))
- throw KerberosException.KRB_AP_ERR_NOT_US;
- }
-
// TODO - configurable checksum
private void verifyBodyChecksum(Checksum authChecksum, KdcRequest
request)
throws KerberosException {
@@ -233,7 +226,7 @@
ioe.printStackTrace();
}
- ChecksumEngine digester =
CryptoService.getInstance(ChecksumType.RSA_MD5);
+ ChecksumEngine digester = new RsaMd5Checksum();
Checksum newChecksum = new Checksum(digester.checksumType(),
digester.calculateChecksum(bytes));
boolean equal = newChecksum.equals(authChecksum);
@@ -242,33 +235,16 @@
throw KerberosException.KRB_AP_ERR_MODIFIED;
}
- private EncryptionType getBestEncryptionType(EncryptionType[]
requestedTypes)
- throws KerberosException {
-
- EncryptionType[] encryptionTypes = _config.getEncryptionTypes();
-
- for (int i = 0; i < requestedTypes.length; i++) {
- for (int j = 0; j < encryptionTypes.length; j++) {
- if (requestedTypes[i] == encryptionTypes[j])
- return encryptionTypes[j];
- }
- }
- throw KerberosException.KDC_ERR_ETYPE_NOSUPP;
- }
-
private EncryptionKey getServerKey(KerberosPrincipal serverPrincipal)
throws KerberosException {
EncryptionKey serverKey = null;
// TODO - allow lookup with realm
- try {
- PrincipalStoreEntry serverEntry =
_bootstrap.getEntry(serverPrincipal);
- if (serverEntry != null) {
- serverKey = serverEntry.getEncryptionKey();
- } else {
- serverKey =
_store.getEntry(serverPrincipal).getEncryptionKey();
- }
-
- } catch (Exception e) {
+ try
+ {
+ serverKey = getKeyForPrincipal(serverPrincipal);
+ }
+ catch (Exception e)
+ {
/*
if (!server) then
if (is_foreign_tgt_name(server)) then
@@ -363,7 +339,7 @@
newTicketBody.setFlag(TicketFlags.POSTDATED);
newTicketBody.setFlag(TicketFlags.INVALID);
- if (!_config.isPostdateAllowed())
+ if (!config.isPostdateAllowed())
throw KerberosException.KDC_ERR_POLICY;
newTicketBody.setStartTime(request.getFrom());
@@ -437,7 +413,7 @@
*/
List minimizer = new ArrayList();
minimizer.add(till);
- minimizer.add(new KerberosTime(now.getTime() +
_config.getMaximumTicketLifetime()));
+ minimizer.add(new KerberosTime(now.getTime() +
config.getMaximumTicketLifetime()));
minimizer.add(tgt.getEndTime());
KerberosTime minTime =
(KerberosTime)Collections.min(minimizer);
newTicketBody.setEndTime(minTime);
@@ -473,7 +449,7 @@
// TODO - client and server configurable; requires
store
List minimizer = new ArrayList();
minimizer.add(rtime);
- minimizer.add(new KerberosTime(now.getTime() +
_config.getMaximumRenewableLifetime()));
+ minimizer.add(new KerberosTime(now.getTime() +
config.getMaximumRenewableLifetime()));
minimizer.add(tgt.getRenewTill());
newTicketBody.setRenewTill((KerberosTime)Collections.min(minimizer));
}
@@ -486,7 +462,9 @@
if (request.getEncAuthorizationData() != null) {
try {
- byte[] decryptedAuthData =
_cryptoService.decrypt(authHeader.getSubSessionKey(),
+ EncryptionEngine engine =
getEncryptionEngine(authHeader.getSubSessionKey());
+
+ byte[] decryptedAuthData =
engine.getDecryptedData(authHeader.getSubSessionKey(),
request.getEncAuthorizationData());
AuthorizationDataDecoder decoder = new
AuthorizationDataDecoder();
authData = decoder.decode(decryptedAuthData);
@@ -548,16 +526,18 @@
} else {
// encrypt with serverKey
}
- return _cryptoService.getEncryptedData(serverKey,
encodedTicket);
+ EncryptionEngine engine = getEncryptionEngine(serverKey);
+
+ return engine.getEncryptedData(serverKey, encodedTicket);
}
- // TODO - support multiple encryption types, this is hardwired for
DES_CBC_MD5
private void encryptReplyPart(TicketGrantReply reply, EncryptionKey
key) {
EncTgsRepPartEncoder encoder = new EncTgsRepPartEncoder();
try {
byte[] plainText = encoder.encode(reply);
-
- EncryptedData cipherText =
_cryptoService.getEncryptedData(key, plainText);
+ EncryptionEngine engine = getEncryptionEngine(key);
+
+ EncryptedData cipherText = engine.getEncryptedData(key,
plainText);
reply.setEncPart(cipherText);
