Author: erodriguez
Date: Tue Nov 9 21:33:35 2004
New Revision: 57142
Modified:
incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/changepw/ChangePasswordService.java
incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/kdc/KdcDispatcher.java
incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/kdc/KerberosService.java
incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/kdc/TicketGrantingService.java
Log:
Moved authentication header verification and replay cache protection to service
base class.
Modified:
incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/changepw/ChangePasswordService.java
==============================================================================
---
incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/changepw/ChangePasswordService.java
(original)
+++
incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/changepw/ChangePasswordService.java
Tue Nov 9 21:33:35 2004
@@ -24,22 +24,20 @@
import org.apache.kerberos.changepw.value.ChangePasswordData;
import org.apache.kerberos.changepw.value.ChangePasswordDataModifier;
import org.apache.kerberos.crypto.encryption.EncryptionEngine;
-import org.apache.kerberos.io.decoder.AuthenticatorDecoder;
import org.apache.kerberos.io.decoder.EncKrbPrivPartDecoder;
-import org.apache.kerberos.io.decoder.EncTicketPartDecoder;
import org.apache.kerberos.io.encoder.EncApRepPartEncoder;
import org.apache.kerberos.io.encoder.EncKrbPrivPartEncoder;
import org.apache.kerberos.kdc.KdcConfiguration;
import org.apache.kerberos.kdc.KerberosException;
import org.apache.kerberos.kdc.KerberosService;
import org.apache.kerberos.kdc.store.PrincipalStore;
-import org.apache.kerberos.kdc.store.PrincipalStoreEntry;
import org.apache.kerberos.messages.ApplicationRequest;
-import org.apache.kerberos.messages.MessageType;
import org.apache.kerberos.messages.application.ApplicationReply;
import org.apache.kerberos.messages.application.PrivateMessage;
import org.apache.kerberos.messages.components.*;
-import org.apache.kerberos.messages.value.*;
+import org.apache.kerberos.messages.value.EncryptedData;
+import org.apache.kerberos.messages.value.EncryptionKey;
+import org.apache.kerberos.messages.value.HostAddress;
import javax.security.auth.kerberos.KerberosKey;
import javax.security.auth.kerberos.KerberosPrincipal;
@@ -49,10 +47,9 @@
/**
* Kerberos Change Password and Set Password Protocols (RFC 3244)
*/
-public class ChangePasswordService extends KerberosService {
-
+public class ChangePasswordService extends KerberosService
+{
private PasswordStore store;
- private PrincipalStore bootstrap;
private KdcConfiguration config;
public ChangePasswordService(PasswordStore store, PrincipalStore
bootstrap, KdcConfiguration config)
@@ -60,13 +57,12 @@
super(config, bootstrap, null);
this.store = store;
- this.bootstrap = bootstrap;
this.config = config;
}
public ChangePasswordReply getReplyFor(ChangePasswordRequest request)
- throws KerberosException, IOException {
-
+ throws KerberosException, IOException
+ {
ApplicationRequest authHeader = request.getAuthHeader();
Ticket ticket = authHeader.getTicket();
@@ -175,106 +171,6 @@
replyModifier.setPrivateMessage(privateMessage);
return replyModifier.getChangePasswordReply();
-
- }
-
- // TODO - this is a duplicate from the TGS service, with the
ReplayCache disabled and ...
- // TODO - ... changepw doesn't have the same LDAP store access
- // RFC 1510 A.10. KRB_AP_REQ verification
- private Authenticator verifyAuthHeader(ApplicationRequest authHeader,
Ticket ticket)
- throws KerberosException, IOException {
-
- if (authHeader.getProtocolVersionNumber() != 5)
- throw KerberosException.KRB_AP_ERR_BADVERSION;
- if (authHeader.getMessageType() != MessageType.KRB_AP_REQ)
- throw KerberosException.KRB_AP_ERR_MSG_TYPE;
- if (authHeader.getTicket().getTicketVersionNumber() != 5)
- throw KerberosException.KRB_AP_ERR_BADVERSION;
-
- EncryptionKey serverKey = null;
- if (authHeader.getOption(ApOptions.USE_SESSION_KEY)) {
- serverKey = authHeader.getTicket().getSessionKey();
- } else {
- KerberosPrincipal serverPrincipal =
ticket.getServerPrincipal();
- PrincipalStoreEntry serverEntry =
bootstrap.getEntry(serverPrincipal);
-
- if (serverEntry != null) {
- serverKey = serverEntry.getEncryptionKey();
- }/*
- else {
- serverKey =
store.getEntry(serverPrincipal).getEncryptionKey();
- }
- */
- }
- if (serverKey == null) {
- // TODO - check server key version number, skvno;
requires store
- if (false)
- throw KerberosException.KRB_AP_ERR_BADKEYVER;
-
- throw KerberosException.KRB_AP_ERR_NOKEY;
- }
-
- try {
- EncryptionEngine engine = getEncryptionEngine(serverKey);
-
- byte[] decTicketPart =
engine.getDecryptedData(serverKey, ticket.getEncPart());
-
- EncTicketPartDecoder ticketPartDecoder = new
EncTicketPartDecoder();
- EncTicketPart encPart =
ticketPartDecoder.decode(decTicketPart);
- ticket.setEncTicketPart(encPart);
- } catch (KerberosException ke) {
- throw KerberosException.KRB_AP_ERR_BAD_INTEGRITY;
- }
-
- Authenticator authenticator;
-
- try {
- EncryptionEngine engine =
getEncryptionEngine(ticket.getSessionKey());
-
- byte[] decAuthenticator =
engine.getDecryptedData(ticket.getSessionKey(), authHeader.getEncPart());
- AuthenticatorDecoder authDecoder = new
AuthenticatorDecoder();
- authenticator = authDecoder.decode(decAuthenticator);
- } catch (KerberosException ke) {
- throw KerberosException.KRB_AP_ERR_BAD_INTEGRITY;
- }
-
- if
(!authenticator.getClientPrincipal().getName().equals(ticket.getClientPrincipal().getName()))
{
- throw KerberosException.KRB_AP_ERR_BADMATCH;
- }
-
- // TODO - need to get at IP Address for sender
- if (ticket.getClientAddresses() != null) {
- // if (sender_address(packet) is not in
decr_ticket.caddr)
- // then error_out(KRB_AP_ERR_BADADDR);
- }
- else {
- // if (application requires addresses) then
- // error_out(KRB_AP_ERR_BADADDR);
- }
-
- /*
- if(_replayCache.isReplay(authenticator.getClientTime(),
authenticator.getClientPrincipal())) {
- throw KerberosException.KRB_AP_ERR_REPEAT;
- }
-
- _replayCache.save(authenticator.getClientTime(),
authenticator.getClientPrincipal());
- */
-
- if
(!authenticator.getClientTime().isInClockSkew(config.getClockSkew()))
- throw KerberosException.KRB_AP_ERR_SKEW;
-
- if (ticket.getStartTime() != null &&
!ticket.getStartTime().isInClockSkew(config.getClockSkew()) ||
- ticket.getFlag(TicketFlags.INVALID))
- // it hasn't yet become valid
- throw KerberosException.KRB_AP_ERR_TKT_NYV;
-
- // TODO - doesn't take into account skew
- if (!ticket.getEndTime().greaterThan(new KerberosTime()))
- throw KerberosException.KRB_AP_ERR_TKT_EXPIRED;
-
- authHeader.setOption(ApOptions.MUTUAL_REQUIRED);
-
- return authenticator;
}
}
Modified:
incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/kdc/KdcDispatcher.java
==============================================================================
---
incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/kdc/KdcDispatcher.java
(original)
+++
incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/kdc/KdcDispatcher.java
Tue Nov 9 21:33:35 2004
@@ -19,8 +19,6 @@
import org.apache.kerberos.io.decoder.KdcRequestDecoder;
import org.apache.kerberos.io.encoder.ErrorMessageEncoder;
import org.apache.kerberos.io.encoder.KdcReplyEncoder;
-import org.apache.kerberos.kdc.replay.InMemoryReplayCache;
-import org.apache.kerberos.kdc.replay.ReplayCache;
import org.apache.kerberos.kdc.store.BootstrapStore;
import org.apache.kerberos.kdc.store.PrincipalStore;
import org.apache.kerberos.messages.AuthenticationReply;
@@ -39,10 +37,8 @@
private static final byte TGS_REQ = (byte) 0x6C;
private static final byte TGS_REP = (byte) 0x6D;
- private ReplayCache _replay = new InMemoryReplayCache();
-
- private KdcRequestDecoder _decoder = new KdcRequestDecoder();
- private KdcReplyEncoder _encoder = new KdcReplyEncoder();
+ private KdcRequestDecoder _decoder = new KdcRequestDecoder();
+ private KdcReplyEncoder _encoder = new KdcReplyEncoder();
private ErrorMessageEncoder _errorEncoder = new ErrorMessageEncoder();
private PrincipalStore _bootstrap;
@@ -60,7 +56,7 @@
_errorService = new ErrorService(_config);
_authService = new AuthenticationService(_store, _bootstrap,
_config);
- _tgsService = new TicketGrantingService(_store, _bootstrap,
_config, _replay);
+ _tgsService = new TicketGrantingService(_store, _bootstrap,
_config);
}
public byte[] dispatch(byte[] requestBytes) throws IOException {
Modified:
incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/kdc/KerberosService.java
==============================================================================
---
incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/kdc/KerberosService.java
(original)
+++
incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/kdc/KerberosService.java
Tue Nov 9 21:33:35 2004
@@ -22,12 +22,24 @@
import org.apache.kerberos.crypto.encryption.EncryptionType;
import org.apache.kerberos.kdc.store.PrincipalStore;
import org.apache.kerberos.kdc.store.PrincipalStoreEntry;
+import org.apache.kerberos.kdc.replay.ReplayCache;
+import org.apache.kerberos.kdc.replay.InMemoryReplayCache;
import org.apache.kerberos.messages.components.Ticket;
+import org.apache.kerberos.messages.components.Authenticator;
+import org.apache.kerberos.messages.components.EncTicketPart;
import org.apache.kerberos.messages.value.EncryptionKey;
+import org.apache.kerberos.messages.value.ApOptions;
+import org.apache.kerberos.messages.value.TicketFlags;
+import org.apache.kerberos.messages.value.KerberosTime;
+import org.apache.kerberos.messages.ApplicationRequest;
+import org.apache.kerberos.messages.MessageType;
+import org.apache.kerberos.io.decoder.EncTicketPartDecoder;
+import org.apache.kerberos.io.decoder.AuthenticatorDecoder;
import javax.security.auth.kerberos.KerberosPrincipal;
import java.util.HashMap;
import java.util.Map;
+import java.io.IOException;
public class KerberosService
{
@@ -35,6 +47,8 @@
private PrincipalStore bootstrap;
private PrincipalStore store;
+ private ReplayCache replayCache = new InMemoryReplayCache();
+
private Map checksumEngines = new HashMap();
public KerberosService(KdcConfiguration config, PrincipalStore bootstrap,
PrincipalStore store)
@@ -103,6 +117,100 @@
if (!ticket.getRealm().equals(config.getPrimaryRealm())
&&
!ticket.getServerPrincipal().equals(serverPrincipal))
throw KerberosException.KRB_AP_ERR_NOT_US;
+ }
+
+ // RFC 1510 A.10. KRB_AP_REQ verification
+ protected Authenticator verifyAuthHeader(ApplicationRequest authHeader,
Ticket ticket)
+ throws KerberosException, IOException {
+
+ if (authHeader.getProtocolVersionNumber() != 5)
+ throw KerberosException.KRB_AP_ERR_BADVERSION;
+ if (authHeader.getMessageType() != MessageType.KRB_AP_REQ)
+ throw KerberosException.KRB_AP_ERR_MSG_TYPE;
+ if (authHeader.getTicket().getTicketVersionNumber() != 5)
+ throw KerberosException.KRB_AP_ERR_BADVERSION;
+
+ KerberosPrincipal serverPrincipal = ticket.getServerPrincipal();
+
+ EncryptionKey serverKey = null;
+
+ if (authHeader.getOption(ApOptions.USE_SESSION_KEY))
+ {
+ serverKey = authHeader.getTicket().getSessionKey();
+ }
+ else
+ {
+ serverKey = getKeyForPrincipal(serverPrincipal);
+ }
+
+ if (serverKey == null)
+ {
+ // TODO - check server key version number, skvno;
requires store
+ if (false)
+ throw KerberosException.KRB_AP_ERR_BADKEYVER;
+
+ throw KerberosException.KRB_AP_ERR_NOKEY;
+ }
+
+ try {
+ EncryptionEngine engine = getEncryptionEngine(serverKey);
+
+ byte[] decTicketPart =
engine.getDecryptedData(serverKey, ticket.getEncPart());
+
+ EncTicketPartDecoder ticketPartDecoder = new
EncTicketPartDecoder();
+ EncTicketPart encPart =
ticketPartDecoder.decode(decTicketPart);
+ ticket.setEncTicketPart(encPart);
+ } catch (KerberosException ke) {
+ throw KerberosException.KRB_AP_ERR_BAD_INTEGRITY;
+ }
+
+ Authenticator authenticator;
+
+ try {
+ EncryptionEngine engine =
getEncryptionEngine(ticket.getSessionKey());
+
+ byte[] decAuthenticator =
engine.getDecryptedData(ticket.getSessionKey(), authHeader.getEncPart());
+ AuthenticatorDecoder authDecoder = new
AuthenticatorDecoder();
+ authenticator = authDecoder.decode(decAuthenticator);
+ } catch (KerberosException ke) {
+ throw KerberosException.KRB_AP_ERR_BAD_INTEGRITY;
+ }
+
+ if
(!authenticator.getClientPrincipal().getName().equals(ticket.getClientPrincipal().getName()))
{
+ throw KerberosException.KRB_AP_ERR_BADMATCH;
+ }
+
+ // TODO - need to get at IP Address for sender
+ if (ticket.getClientAddresses() != null) {
+ // if (sender_address(packet) is not in
decr_ticket.caddr)
+ // then error_out(KRB_AP_ERR_BADADDR);
+ }
+ else {
+ // if (application requires addresses) then
+ // error_out(KRB_AP_ERR_BADADDR);
+ }
+
+ if(replayCache.isReplay(authenticator.getClientTime(),
authenticator.getClientPrincipal())) {
+ throw KerberosException.KRB_AP_ERR_REPEAT;
+ }
+
+ replayCache.save(authenticator.getClientTime(),
authenticator.getClientPrincipal());
+
+ if
(!authenticator.getClientTime().isInClockSkew(config.getClockSkew()))
+ throw KerberosException.KRB_AP_ERR_SKEW;
+
+ if (ticket.getStartTime() != null &&
!ticket.getStartTime().isInClockSkew(config.getClockSkew()) ||
+ ticket.getFlag(TicketFlags.INVALID))
+ // it hasn't yet become valid
+ throw KerberosException.KRB_AP_ERR_TKT_NYV;
+
+ // TODO - doesn't take into account skew
+ if (!ticket.getEndTime().greaterThan(new KerberosTime()))
+ throw KerberosException.KRB_AP_ERR_TKT_EXPIRED;
+
+ authHeader.setOption(ApOptions.MUTUAL_REQUIRED);
+
+ return authenticator;
}
}
Modified:
incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/kdc/TicketGrantingService.java
==============================================================================
---
incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/kdc/TicketGrantingService.java
(original)
+++
incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/kdc/TicketGrantingService.java
Tue Nov 9 21:33:35 2004
@@ -22,17 +22,13 @@
import org.apache.kerberos.crypto.encryption.EncryptionEngine;
import org.apache.kerberos.crypto.encryption.EncryptionType;
import org.apache.kerberos.io.decoder.ApplicationRequestDecoder;
-import org.apache.kerberos.io.decoder.AuthenticatorDecoder;
import org.apache.kerberos.io.decoder.AuthorizationDataDecoder;
-import org.apache.kerberos.io.decoder.EncTicketPartDecoder;
import org.apache.kerberos.io.encoder.EncTgsRepPartEncoder;
import org.apache.kerberos.io.encoder.EncTicketPartEncoder;
import org.apache.kerberos.io.encoder.KdcReqBodyEncoder;
-import org.apache.kerberos.kdc.replay.ReplayCache;
import org.apache.kerberos.kdc.store.PrincipalStore;
import org.apache.kerberos.messages.ApplicationRequest;
import org.apache.kerberos.messages.KdcRequest;
-import org.apache.kerberos.messages.MessageType;
import org.apache.kerberos.messages.TicketGrantReply;
import org.apache.kerberos.messages.components.Authenticator;
import org.apache.kerberos.messages.components.EncTicketPart;
@@ -52,15 +48,13 @@
public class TicketGrantingService extends KerberosService {
private KdcConfiguration config;
- private ReplayCache replayCache;
public TicketGrantingService(PrincipalStore store, PrincipalStore
bootstrap,
- KdcConfiguration config, ReplayCache replay)
+ KdcConfiguration config)
{
super(config, bootstrap, store);
this.config = config;
- replayCache = replay;
}
public TicketGrantReply getReplyFor(KdcRequest request) throws
KerberosException, IOException {
@@ -105,99 +99,7 @@
return authHeader;
}
- // RFC 1510 A.10. KRB_AP_REQ verification
- private Authenticator verifyAuthHeader(ApplicationRequest authHeader,
Ticket ticket)
- throws KerberosException, IOException {
-
- if (authHeader.getProtocolVersionNumber() != 5)
- throw KerberosException.KRB_AP_ERR_BADVERSION;
- if (authHeader.getMessageType() != MessageType.KRB_AP_REQ)
- throw KerberosException.KRB_AP_ERR_MSG_TYPE;
- if (authHeader.getTicket().getTicketVersionNumber() != 5)
- throw KerberosException.KRB_AP_ERR_BADVERSION;
- KerberosPrincipal serverPrincipal = ticket.getServerPrincipal();
-
- EncryptionKey serverKey = null;
-
- if (authHeader.getOption(ApOptions.USE_SESSION_KEY))
- {
- serverKey = authHeader.getTicket().getSessionKey();
- }
- else
- {
- serverKey = getKeyForPrincipal(serverPrincipal);
- }
-
- if (serverKey == null)
- {
- // TODO - check server key version number, skvno;
requires store
- if (false)
- throw KerberosException.KRB_AP_ERR_BADKEYVER;
-
- throw KerberosException.KRB_AP_ERR_NOKEY;
- }
-
- try {
- EncryptionEngine engine = getEncryptionEngine(serverKey);
-
- byte[] decTicketPart =
engine.getDecryptedData(serverKey, ticket.getEncPart());
-
- EncTicketPartDecoder ticketPartDecoder = new
EncTicketPartDecoder();
- EncTicketPart encPart =
ticketPartDecoder.decode(decTicketPart);
- ticket.setEncTicketPart(encPart);
- } catch (KerberosException ke) {
- throw KerberosException.KRB_AP_ERR_BAD_INTEGRITY;
- }
-
- Authenticator authenticator;
-
- try {
- EncryptionEngine engine =
getEncryptionEngine(ticket.getSessionKey());
-
- byte[] decAuthenticator =
engine.getDecryptedData(ticket.getSessionKey(), authHeader.getEncPart());
- AuthenticatorDecoder authDecoder = new
AuthenticatorDecoder();
- authenticator = authDecoder.decode(decAuthenticator);
- } catch (KerberosException ke) {
- throw KerberosException.KRB_AP_ERR_BAD_INTEGRITY;
- }
-
- if
(!authenticator.getClientPrincipal().getName().equals(ticket.getClientPrincipal().getName()))
{
- throw KerberosException.KRB_AP_ERR_BADMATCH;
- }
-
- // TODO - need to get at IP Address for sender
- if (ticket.getClientAddresses() != null) {
- // if (sender_address(packet) is not in
decr_ticket.caddr)
- // then error_out(KRB_AP_ERR_BADADDR);
- }
- else {
- // if (application requires addresses) then
- // error_out(KRB_AP_ERR_BADADDR);
- }
-
- if(replayCache.isReplay(authenticator.getClientTime(),
authenticator.getClientPrincipal())) {
- throw KerberosException.KRB_AP_ERR_REPEAT;
- }
-
- replayCache.save(authenticator.getClientTime(),
authenticator.getClientPrincipal());
-
- if
(!authenticator.getClientTime().isInClockSkew(config.getClockSkew()))
- throw KerberosException.KRB_AP_ERR_SKEW;
-
- if (ticket.getStartTime() != null &&
!ticket.getStartTime().isInClockSkew(config.getClockSkew()) ||
- ticket.getFlag(TicketFlags.INVALID))
- // it hasn't yet become valid
- throw KerberosException.KRB_AP_ERR_TKT_NYV;
-
- // TODO - doesn't take into account skew
- if (!ticket.getEndTime().greaterThan(new KerberosTime()))
- throw KerberosException.KRB_AP_ERR_TKT_EXPIRED;
-
- authHeader.setOption(ApOptions.MUTUAL_REQUIRED);
-
- return authenticator;
- }
// TODO - configurable checksum
private void verifyBodyChecksum(Checksum authChecksum, KdcRequest
request)
