Path: blob/master/src/java.security.jgss/macosx/native/libosxkrb5/nativeccache.c
41149 views
/*1* Copyright (c) 2011, 2019, Oracle and/or its affiliates. All rights reserved.2* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.3*4* This code is free software; you can redistribute it and/or modify it5* under the terms of the GNU General Public License version 2 only, as6* published by the Free Software Foundation. Oracle designates this7* particular file as subject to the "Classpath" exception as provided8* by Oracle in the LICENSE file that accompanied this code.9*10* This code is distributed in the hope that it will be useful, but WITHOUT11* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or12* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License13* version 2 for more details (a copy is included in the LICENSE file that14* accompanied this code).15*16* You should have received a copy of the GNU General Public License version17* 2 along with this work; if not, write to the Free Software Foundation,18* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.19*20* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA21* or visit www.oracle.com if you need additional information or have any22* questions.23*/2425#import "sun_security_krb5_Credentials.h"26#import <Kerberos/Kerberos.h>27#import <string.h>28#import <time.h>2930#include "jni_util.h"3132/*33* Based largely on klist.c,34*35* Created by Scott Kovatch on 8/12/04.36*37* See http://www.opensource.apple.com/darwinsource/10.3.3/Kerberos-47/KerberosClients/klist/Sources/klist.c3839*/4041/*42* Statics for this module43*/4445static jclass ticketClass = NULL;46static jclass principalNameClass = NULL;47static jclass encryptionKeyClass = NULL;48static jclass ticketFlagsClass = NULL;49static jclass kerberosTimeClass = NULL;50static jclass javaLangStringClass = NULL;51static jclass javaLangIntegerClass = NULL;52static jclass hostAddressClass = NULL;53static jclass hostAddressesClass = NULL;5455static jmethodID ticketConstructor = 0;56static jmethodID principalNameConstructor = 0;57static jmethodID encryptionKeyConstructor = 0;58static jmethodID ticketFlagsConstructor = 0;59static jmethodID kerberosTimeConstructor = 0;60static jmethodID krbcredsConstructor = 0;61static jmethodID integerConstructor = 0;62static jmethodID hostAddressConstructor = 0;63static jmethodID hostAddressesConstructor = 0;6465/*66* Function prototypes for internal routines67*/6869static jobject BuildTicket(JNIEnv *env, krb5_data *encodedTicket);70static jobject BuildClientPrincipal(JNIEnv *env, krb5_context kcontext, krb5_principal principalName);71static jobject BuildEncryptionKey(JNIEnv *env, krb5_keyblock *cryptoKey);72static jobject BuildTicketFlags(JNIEnv *env, krb5_flags flags);73static jobject BuildKerberosTime(JNIEnv *env, krb5_timestamp kerbtime);74static jobject BuildAddressList(JNIEnv *env, krb5_address **kerbtime);7576static void printiferr (errcode_t err, const char *format, ...);7778static jclass FindClass(JNIEnv *env, char *className)79{80jclass cls = (*env)->FindClass(env, className);8182if (cls == NULL) {83printf("Couldn't find %s\n", className);84return NULL;85}8687jobject returnValue = (*env)->NewWeakGlobalRef(env,cls);88return returnValue;89}90/*91* Class: sun_security_krb5_KrbCreds92* Method: JNI_OnLoad93*/94JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *jvm, void *reserved)95{96JNIEnv *env;9798if ((*jvm)->GetEnv(jvm, (void **)&env, JNI_VERSION_1_4)) {99return JNI_EVERSION; /* JNI version not supported */100}101102ticketClass = FindClass(env, "sun/security/krb5/internal/Ticket");103if (ticketClass == NULL) return JNI_ERR;104105principalNameClass = FindClass(env, "sun/security/krb5/PrincipalName");106if (principalNameClass == NULL) return JNI_ERR;107108encryptionKeyClass = FindClass(env, "sun/security/krb5/EncryptionKey");109if (encryptionKeyClass == NULL) return JNI_ERR;110111ticketFlagsClass = FindClass(env,"sun/security/krb5/internal/TicketFlags");112if (ticketFlagsClass == NULL) return JNI_ERR;113114kerberosTimeClass = FindClass(env,"sun/security/krb5/internal/KerberosTime");115if (kerberosTimeClass == NULL) return JNI_ERR;116117javaLangStringClass = FindClass(env,"java/lang/String");118if (javaLangStringClass == NULL) return JNI_ERR;119120javaLangIntegerClass = FindClass(env,"java/lang/Integer");121if (javaLangIntegerClass == NULL) return JNI_ERR;122123hostAddressClass = FindClass(env,"sun/security/krb5/internal/HostAddress");124if (hostAddressClass == NULL) return JNI_ERR;125126hostAddressesClass = FindClass(env,"sun/security/krb5/internal/HostAddresses");127if (hostAddressesClass == NULL) return JNI_ERR;128129ticketConstructor = (*env)->GetMethodID(env, ticketClass, "<init>", "([B)V");130if (ticketConstructor == 0) {131printf("Couldn't find Ticket constructor\n");132return JNI_ERR;133}134135principalNameConstructor = (*env)->GetMethodID(env, principalNameClass, "<init>", "(Ljava/lang/String;I)V");136if (principalNameConstructor == 0) {137printf("Couldn't find PrincipalName constructor\n");138return JNI_ERR;139}140141encryptionKeyConstructor = (*env)->GetMethodID(env, encryptionKeyClass, "<init>", "(I[B)V");142if (encryptionKeyConstructor == 0) {143printf("Couldn't find EncryptionKey constructor\n");144return JNI_ERR;145}146147ticketFlagsConstructor = (*env)->GetMethodID(env, ticketFlagsClass, "<init>", "(I[B)V");148if (ticketFlagsConstructor == 0) {149printf("Couldn't find TicketFlags constructor\n");150return JNI_ERR;151}152153kerberosTimeConstructor = (*env)->GetMethodID(env, kerberosTimeClass, "<init>", "(J)V");154if (kerberosTimeConstructor == 0) {155printf("Couldn't find KerberosTime constructor\n");156return JNI_ERR;157}158159integerConstructor = (*env)->GetMethodID(env, javaLangIntegerClass, "<init>", "(I)V");160if (integerConstructor == 0) {161printf("Couldn't find Integer constructor\n");162return JNI_ERR;163}164165hostAddressConstructor = (*env)->GetMethodID(env, hostAddressClass, "<init>", "(I[B)V");166if (hostAddressConstructor == 0) {167printf("Couldn't find HostAddress constructor\n");168return JNI_ERR;169}170171hostAddressesConstructor = (*env)->GetMethodID(env, hostAddressesClass, "<init>", "([Lsun/security/krb5/internal/HostAddress;)V");172if (hostAddressesConstructor == 0) {173printf("Couldn't find HostAddresses constructor\n");174return JNI_ERR;175}176177return JNI_VERSION_1_2;178}179180/*181* Class: sun_security_jgss_KrbCreds182* Method: JNI_OnUnload183*/184JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *jvm, void *reserved)185{186JNIEnv *env;187188if ((*jvm)->GetEnv(jvm, (void **)&env, JNI_VERSION_1_2)) {189return; /* Nothing else we can do */190}191192if (ticketClass != NULL) {193(*env)->DeleteWeakGlobalRef(env,ticketClass);194}195if (principalNameClass != NULL) {196(*env)->DeleteWeakGlobalRef(env,principalNameClass);197}198if (encryptionKeyClass != NULL) {199(*env)->DeleteWeakGlobalRef(env,encryptionKeyClass);200}201if (ticketFlagsClass != NULL) {202(*env)->DeleteWeakGlobalRef(env,ticketFlagsClass);203}204if (kerberosTimeClass != NULL) {205(*env)->DeleteWeakGlobalRef(env,kerberosTimeClass);206}207if (javaLangStringClass != NULL) {208(*env)->DeleteWeakGlobalRef(env,javaLangStringClass);209}210if (javaLangIntegerClass != NULL) {211(*env)->DeleteWeakGlobalRef(env,javaLangIntegerClass);212}213if (hostAddressClass != NULL) {214(*env)->DeleteWeakGlobalRef(env,hostAddressClass);215}216if (hostAddressesClass != NULL) {217(*env)->DeleteWeakGlobalRef(env,hostAddressesClass);218}219220}221222int isIn(krb5_enctype e, int n, jint* etypes)223{224int i;225for (i=0; i<n; i++) {226if (e == etypes[i]) return 1;227}228return 0;229}230231/*232* Class: sun_security_krb5_Credentials233* Method: acquireDefaultNativeCreds234* Signature: ([I])Lsun/security/krb5/Credentials;235*/236JNIEXPORT jobject JNICALL Java_sun_security_krb5_Credentials_acquireDefaultNativeCreds237(JNIEnv *env, jclass krbcredsClass, jintArray jetypes)238{239jobject krbCreds = NULL;240krb5_error_code err = 0;241krb5_ccache ccache = NULL;242krb5_cc_cursor cursor = NULL;243krb5_creds creds;244krb5_flags flags = 0;245krb5_context kcontext = NULL;246247int netypes;248jint *etypes = NULL;249int proxy_flag = 0;250251/* Initialize the Kerberos 5 context */252err = krb5_init_context (&kcontext);253254if (!err) {255err = krb5_cc_default (kcontext, &ccache);256}257258if (!err) {259err = krb5_cc_set_flags (kcontext, ccache, flags); /* turn off OPENCLOSE */260}261262// First round read. The proxy_impersonator config flag is not supported.263// This ccache will not be used if this flag exists.264if (!err) {265err = krb5_cc_start_seq_get (kcontext, ccache, &cursor);266}267268if (!err) {269while ((err = krb5_cc_next_cred (kcontext, ccache, &cursor, &creds)) == 0) {270char *serverName = NULL;271272if (!err) {273err = krb5_unparse_name (kcontext, creds.server, &serverName);274printiferr (err, "while unparsing server name");275}276277if (!err) {278if (!strcmp(serverName, "krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF:")) {279proxy_flag = 1;280}281}282283if (serverName != NULL) { krb5_free_unparsed_name (kcontext, serverName); }284285krb5_free_cred_contents (kcontext, &creds);286287if (proxy_flag) break;288}289290if (err == KRB5_CC_END) { err = 0; }291printiferr (err, "while retrieving a ticket");292}293294if (!err) {295err = krb5_cc_end_seq_get (kcontext, ccache, &cursor);296printiferr (err, "while finishing ticket retrieval");297}298299if (proxy_flag) {300goto outer_cleanup;301}302// End of first round read303304if (!err) {305err = krb5_cc_start_seq_get (kcontext, ccache, &cursor);306}307308netypes = (*env)->GetArrayLength(env, jetypes);309etypes = (jint *) (*env)->GetIntArrayElements(env, jetypes, NULL);310311if (etypes != NULL && !err) {312while ((err = krb5_cc_next_cred (kcontext, ccache, &cursor, &creds)) == 0) {313char *serverName = NULL;314315if (!err) {316err = krb5_unparse_name (kcontext, creds.server, &serverName);317printiferr (err, "while unparsing server name");318}319320if (!err) {321char* slash = strchr(serverName, '/');322char* at = strchr(serverName, '@');323// Make sure the server's name is krbtgt/REALM@REALM, the etype324// is supported, and the ticket has not expired325if (slash && at &&326strncmp (serverName, "krbtgt", slash-serverName) == 0 &&327// the ablove line shows at must be after slash328strncmp (slash+1, at+1, at-slash-1) == 0 &&329isIn (creds.keyblock.enctype, netypes, etypes) &&330creds.times.endtime > time(0)) {331jobject ticket, clientPrincipal, targetPrincipal, encryptionKey;332jobject ticketFlags, startTime, endTime;333jobject authTime, renewTillTime, hostAddresses;334335ticket = clientPrincipal = targetPrincipal = encryptionKey = NULL;336ticketFlags = startTime = endTime = NULL;337authTime = renewTillTime = hostAddresses = NULL;338339// For the default credentials we're only interested in the krbtgt server.340clientPrincipal = BuildClientPrincipal(env, kcontext, creds.client);341if (clientPrincipal == NULL) goto cleanup;342343targetPrincipal = BuildClientPrincipal(env, kcontext, creds.server);344if (targetPrincipal == NULL) goto cleanup;345346// Build a sun/security/krb5/internal/Ticket347ticket = BuildTicket(env, &creds.ticket);348if (ticket == NULL) goto cleanup;349350// Get the encryption key351encryptionKey = BuildEncryptionKey(env, &creds.keyblock);352if (encryptionKey == NULL) goto cleanup;353354// and the ticket flags355ticketFlags = BuildTicketFlags(env, creds.ticket_flags);356if (ticketFlags == NULL) goto cleanup;357358// Get the timestamps out.359startTime = BuildKerberosTime(env, creds.times.starttime);360if (startTime == NULL) goto cleanup;361362authTime = BuildKerberosTime(env, creds.times.authtime);363if (authTime == NULL) goto cleanup;364365endTime = BuildKerberosTime(env, creds.times.endtime);366if (endTime == NULL) goto cleanup;367368renewTillTime = BuildKerberosTime(env, creds.times.renew_till);369if (renewTillTime == NULL) goto cleanup;370371// Create the addresses object.372hostAddresses = BuildAddressList(env, creds.addresses);373374if (krbcredsConstructor == 0) {375krbcredsConstructor = (*env)->GetMethodID(env, krbcredsClass, "<init>",376"(Lsun/security/krb5/internal/Ticket;Lsun/security/krb5/PrincipalName;Lsun/security/krb5/PrincipalName;Lsun/security/krb5/PrincipalName;Lsun/security/krb5/PrincipalName;Lsun/security/krb5/EncryptionKey;Lsun/security/krb5/internal/TicketFlags;Lsun/security/krb5/internal/KerberosTime;Lsun/security/krb5/internal/KerberosTime;Lsun/security/krb5/internal/KerberosTime;Lsun/security/krb5/internal/KerberosTime;Lsun/security/krb5/internal/HostAddresses;)V");377if (krbcredsConstructor == 0) {378printf("Couldn't find sun.security.krb5.internal.Ticket constructor\n");379break;380}381}382383// and now go build a KrbCreds object384krbCreds = (*env)->NewObject(385env,386krbcredsClass,387krbcredsConstructor,388ticket,389clientPrincipal,390NULL,391targetPrincipal,392NULL,393encryptionKey,394ticketFlags,395authTime,396startTime,397endTime,398renewTillTime,399hostAddresses);400cleanup:401if (ticket) (*env)->DeleteLocalRef(env, ticket);402if (clientPrincipal) (*env)->DeleteLocalRef(env, clientPrincipal);403if (targetPrincipal) (*env)->DeleteLocalRef(env, targetPrincipal);404if (encryptionKey) (*env)->DeleteLocalRef(env, encryptionKey);405if (ticketFlags) (*env)->DeleteLocalRef(env, ticketFlags);406if (authTime) (*env)->DeleteLocalRef(env, authTime);407if (startTime) (*env)->DeleteLocalRef(env, startTime);408if (endTime) (*env)->DeleteLocalRef(env, endTime);409if (renewTillTime) (*env)->DeleteLocalRef(env, renewTillTime);410if (hostAddresses) (*env)->DeleteLocalRef(env, hostAddresses);411412// Stop if there is an exception or we already found the initial TGT413if ((*env)->ExceptionCheck(env) || krbCreds) {414break;415}416}417}418419if (serverName != NULL) { krb5_free_unparsed_name (kcontext, serverName); }420421krb5_free_cred_contents (kcontext, &creds);422}423424if (err == KRB5_CC_END) { err = 0; }425printiferr (err, "while retrieving a ticket");426}427428if (!err) {429err = krb5_cc_end_seq_get (kcontext, ccache, &cursor);430printiferr (err, "while finishing ticket retrieval");431}432433outer_cleanup:434if (!err) {435flags = KRB5_TC_OPENCLOSE; /* restore OPENCLOSE mode */436err = krb5_cc_set_flags (kcontext, ccache, flags);437printiferr (err, "while finishing ticket retrieval");438}439440if (etypes != NULL) {441(*env)->ReleaseIntArrayElements(env, jetypes, etypes, 0);442}443444krb5_free_context (kcontext);445return krbCreds;446}447448449#pragma mark -450451jobject BuildTicket(JNIEnv *env, krb5_data *encodedTicket)452{453// To build a Ticket, we need to make a byte array out of the EncodedTicket.454455jobject ticket;456jbyteArray ary;457458ary = (*env)->NewByteArray(env, encodedTicket->length);459if ((*env)->ExceptionCheck(env)) {460return (jobject) NULL;461}462463(*env)->SetByteArrayRegion(env, ary, (jsize) 0, encodedTicket->length, (jbyte *)encodedTicket->data);464if ((*env)->ExceptionCheck(env)) {465(*env)->DeleteLocalRef(env, ary);466return (jobject) NULL;467}468469ticket = (*env)->NewObject(env, ticketClass, ticketConstructor, ary);470if ((*env)->ExceptionCheck(env)) {471(*env)->DeleteLocalRef(env, ary);472return (jobject) NULL;473}474(*env)->DeleteLocalRef(env, ary);475return ticket;476}477478jobject BuildClientPrincipal(JNIEnv *env, krb5_context kcontext, krb5_principal principalName) {479// Get the full principal string.480char *principalString = NULL;481jobject principal = NULL;482int err = krb5_unparse_name (kcontext, principalName, &principalString);483484if (!err) {485// Make a PrincipalName from the full string and the type. Let the PrincipalName class parse it out.486jstring principalStringObj = (*env)->NewStringUTF(env, principalString);487if (principalStringObj == NULL) {488if (principalString != NULL) { krb5_free_unparsed_name (kcontext, principalString); }489return (jobject) NULL;490}491principal = (*env)->NewObject(env, principalNameClass, principalNameConstructor, principalStringObj, principalName->type);492if (principalString != NULL) { krb5_free_unparsed_name (kcontext, principalString); }493(*env)->DeleteLocalRef(env, principalStringObj);494}495496return principal;497}498499jobject BuildEncryptionKey(JNIEnv *env, krb5_keyblock *cryptoKey) {500// First, need to build a byte array501jbyteArray ary;502jobject encryptionKey = NULL;503504ary = (*env)->NewByteArray(env,cryptoKey->length);505506if (ary == NULL) {507return (jobject) NULL;508}509510(*env)->SetByteArrayRegion(env, ary, (jsize) 0, cryptoKey->length, (jbyte *)cryptoKey->contents);511if (!(*env)->ExceptionCheck(env)) {512encryptionKey = (*env)->NewObject(env, encryptionKeyClass, encryptionKeyConstructor, cryptoKey->enctype, ary);513}514515(*env)->DeleteLocalRef(env, ary);516return encryptionKey;517}518519jobject BuildTicketFlags(JNIEnv *env, krb5_flags flags) {520jobject ticketFlags = NULL;521jbyteArray ary;522523/*524* Convert the bytes to network byte order before copying525* them to a Java byte array.526*/527unsigned long nlflags = htonl(flags);528529ary = (*env)->NewByteArray(env, sizeof(flags));530531if (ary == NULL) {532return (jobject) NULL;533}534535(*env)->SetByteArrayRegion(env, ary, (jsize) 0, sizeof(flags), (jbyte *)&nlflags);536537if (!(*env)->ExceptionCheck(env)) {538ticketFlags = (*env)->NewObject(env, ticketFlagsClass, ticketFlagsConstructor, sizeof(flags)*8, ary);539}540541(*env)->DeleteLocalRef(env, ary);542return ticketFlags;543}544545jobject BuildKerberosTime(JNIEnv *env, krb5_timestamp kerbtime) {546jlong time = kerbtime;547548// Kerberos time is in seconds, but the KerberosTime class assumes milliseconds, so multiply by 1000.549time *= 1000;550return (*env)->NewObject(env, kerberosTimeClass, kerberosTimeConstructor, time);551}552553jobject BuildAddressList(JNIEnv *env, krb5_address **addresses) {554555if (addresses == NULL) {556return NULL;557}558559int addressCount = 0;560561// See how many we have.562krb5_address **p = addresses;563564while (*p != 0) {565addressCount++;566p++;567}568569jobject address_list = (*env)->NewObjectArray(env, addressCount, hostAddressClass, NULL);570571if (address_list == NULL) {572return (jobject) NULL;573}574575// Create a new HostAddress object for each address block.576// First, reset the iterator.577p = addresses;578jsize index = 0;579while (*p != 0) {580krb5_address *currAddress = *p;581582// HostAddres needs a byte array of the host data.583jbyteArray ary = (*env)->NewByteArray(env, currAddress->length);584585if (ary == NULL) return NULL;586587(*env)->SetByteArrayRegion(env, ary, (jsize) 0, currAddress->length, (jbyte *)currAddress->contents);588jobject address = (*env)->NewObject(env, hostAddressClass, hostAddressConstructor, currAddress->length, ary);589590(*env)->DeleteLocalRef(env, ary);591592if (address == NULL) {593return (jobject) NULL;594}595// Add the HostAddress to the arrray.596(*env)->SetObjectArrayElement(env, address_list, index, address);597598if ((*env)->ExceptionCheck(env)) {599return (jobject) NULL;600}601602index++;603p++;604}605606return address_list;607}608609#pragma mark - Utility methods -610611static void printiferr (errcode_t err, const char *format, ...)612{613if (err) {614va_list pvar;615616va_start (pvar, format);617com_err_va ("ticketParser:", err, format, pvar);618va_end (pvar);619}620}621622623624