Path: blob/master/src/java.security.jgss/share/classes/sun/security/jgss/GSSNameImpl.java
41159 views
/*1* Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.2* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.3*4* This code is free software; you can redistribute it and/or modify it5* under the terms of the GNU General Public License version 2 only, as6* published by the Free Software Foundation. Oracle designates this7* particular file as subject to the "Classpath" exception as provided8* by Oracle in the LICENSE file that accompanied this code.9*10* This code is distributed in the hope that it will be useful, but WITHOUT11* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or12* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License13* version 2 for more details (a copy is included in the LICENSE file that14* accompanied this code).15*16* You should have received a copy of the GNU General Public License version17* 2 along with this work; if not, write to the Free Software Foundation,18* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.19*20* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA21* or visit www.oracle.com if you need additional information or have any22* questions.23*/2425package sun.security.jgss;2627import org.ietf.jgss.*;28import sun.security.jgss.spi.*;29import java.util.Set;30import java.util.HashMap;31import java.util.HashSet;32import java.util.Arrays;33import java.io.IOException;34import sun.security.util.ObjectIdentifier;35import sun.security.util.DerInputStream;36import sun.security.util.DerOutputStream;3738import static java.nio.charset.StandardCharsets.UTF_8;3940/**41* This is the implementation class for GSSName. Conceptually the42* GSSName is a container with mechanism specific name elements. Each43* name element is a representation of how that particular mechanism44* would canonicalize this principal.45*46* Generally a GSSName is created by an application when it supplies47* a sequence of bytes and a nametype that helps each mechanism48* decide how to interpret those bytes.49*50* It is not necessary to create name elements for each available51* mechanism at the time the application creates the GSSName. This52* implementation does this lazily, as and when name elements for53* mechanisms are required to be handed out. (Generally, other GSS54* classes like GSSContext and GSSCredential request specific55* elements depending on the mechanisms that they are dealing with.)56* Assume that getting a mechanism to parse the applciation specified57* bytes is an expensive call.58*59* When a GSSName is canonicalized wrt some mechanism, it is supposed60* to discard all elements of other mechanisms and retain only the61* element for this mechanism. In GSS terminology this is called a62* Mechanism Name or MN. This implementation tries to retain the63* application provided bytes and name type just in case the MN is64* asked to produce an element for a mechanism that is different.65*66* When a GSSName is to be exported, the name element for the desired67* mechanism is converted to a byte representation and written68* out. It might happen that a name element for that mechanism cannot69* be obtained. This happens when the mechanism is just not supported70* in this GSS-API or when the mechanism is supported but bytes71* corresponding to the nametypes that it understands are not72* available in this GSSName.73*74* This class is safe for sharing. Each retrieval of a name element75* from getElement() might potentially add a new element to the76* hashmap of elements, but getElement() is synchronized.77*78* @author Mayank Upadhyay79* @since 1.480*/8182public class GSSNameImpl implements GSSName {8384/**85* The old Oid used in RFC 2853. Now supported as86* input parameters in:87*88* 1. The four overloaded GSSManager.createName(*) methods89* 2. GSSManager.getMechsForName(Oid)90*91* Note that even if a GSSName is created with this old Oid,92* its internal name type and getStringNameType() output are93* always the new value.94*/95static final Oid oldHostbasedServiceName;9697static {98Oid tmp = null;99try {100tmp = new Oid("1.3.6.1.5.6.2");101} catch (Exception e) {102// should never happen103}104oldHostbasedServiceName = tmp;105}106107private GSSManagerImpl gssManager = null;108109/*110* Store whatever the application passed in. We will use this to111* get individual mechanisms to create name elements as and when112* needed.113* Store both the String and the byte[]. Leave I18N to the114* mechanism by allowing it to extract bytes from the String!115*/116117private String appNameStr = null;118private byte[] appNameBytes = null;119private Oid appNameType = null;120121/*122* When we figure out what the printable name would be, we store123* both the name and its type.124*/125126private String printableName = null;127private Oid printableNameType = null;128129private HashMap<Oid, GSSNameSpi> elements = null;130private GSSNameSpi mechElement = null;131132static GSSNameImpl wrapElement(GSSManagerImpl gssManager,133GSSNameSpi mechElement) throws GSSException {134return (mechElement == null ?135null : new GSSNameImpl(gssManager, mechElement));136}137138GSSNameImpl(GSSManagerImpl gssManager, GSSNameSpi mechElement) {139this.gssManager = gssManager;140appNameStr = printableName = mechElement.toString();141appNameType = printableNameType = mechElement.getStringNameType();142this.mechElement = mechElement;143elements = new HashMap<Oid, GSSNameSpi>(1);144elements.put(mechElement.getMechanism(), this.mechElement);145}146147GSSNameImpl(GSSManagerImpl gssManager,148Object appName,149Oid appNameType)150throws GSSException {151this(gssManager, appName, appNameType, null);152}153154GSSNameImpl(GSSManagerImpl gssManager,155Object appName,156Oid appNameType,157Oid mech)158throws GSSException {159160if (oldHostbasedServiceName.equals(appNameType)) {161appNameType = GSSName.NT_HOSTBASED_SERVICE;162}163if (appName == null)164throw new GSSExceptionImpl(GSSException.BAD_NAME,165"Cannot import null name");166if (mech == null) mech = ProviderList.DEFAULT_MECH_OID;167if (NT_EXPORT_NAME.equals(appNameType)) {168importName(gssManager, appName);169} else {170init(gssManager, appName, appNameType, mech);171}172}173174private void init(GSSManagerImpl gssManager,175Object appName, Oid appNameType,176Oid mech)177throws GSSException {178179this.gssManager = gssManager;180this.elements =181new HashMap<Oid, GSSNameSpi>(gssManager.getMechs().length);182183if (appName instanceof String) {184this.appNameStr = (String) appName;185/*186* If appNameType is null, then the nametype for this printable187* string is determined only by interrogating the188* mechanism. Thus, defer the setting of printableName and189* printableNameType till later.190*/191if (appNameType != null) {192printableName = appNameStr;193printableNameType = appNameType;194}195} else {196this.appNameBytes = (byte[]) appName;197}198199this.appNameType = appNameType;200201mechElement = getElement(mech);202203/*204* printableName will be null if appName was in a byte[] or if205* appName was in a String but appNameType was null.206*/207if (printableName == null) {208printableName = mechElement.toString();209printableNameType = mechElement.getStringNameType();210}211212/*213* At this point the GSSNameImpl has the following set:214* appNameStr or appNameBytes215* appNameType (could be null)216* printableName217* printableNameType218* mechElement (which also exists in the hashmap of elements)219*/220}221222private void importName(GSSManagerImpl gssManager,223Object appName)224throws GSSException {225226int pos = 0;227byte[] bytes = null;228229if (appName instanceof String) {230bytes = ((String) appName).getBytes(UTF_8);231} else {232bytes = (byte[]) appName;233}234235if ((bytes[pos++] != 0x04) ||236(bytes[pos++] != 0x01))237throw new GSSExceptionImpl(GSSException.BAD_NAME,238"Exported name token id is corrupted!");239240int oidLen = (((0xFF & bytes[pos++]) << 8) |241(0xFF & bytes[pos++]));242ObjectIdentifier temp = null;243try {244DerInputStream din = new DerInputStream(bytes, pos,245oidLen);246temp = new ObjectIdentifier(din);247} catch (IOException e) {248throw new GSSExceptionImpl(GSSException.BAD_NAME,249"Exported name Object identifier is corrupted!");250}251Oid oid = new Oid(temp.toString());252pos += oidLen;253int mechPortionLen = (((0xFF & bytes[pos++]) << 24) |254((0xFF & bytes[pos++]) << 16) |255((0xFF & bytes[pos++]) << 8) |256(0xFF & bytes[pos++]));257258if (mechPortionLen < 0 || pos > bytes.length - mechPortionLen) {259throw new GSSExceptionImpl(GSSException.BAD_NAME,260"Exported name mech name is corrupted!");261}262byte[] mechPortion = new byte[mechPortionLen];263System.arraycopy(bytes, pos, mechPortion, 0, mechPortionLen);264265init(gssManager, mechPortion, NT_EXPORT_NAME, oid);266}267268public GSSName canonicalize(Oid mech) throws GSSException {269if (mech == null) mech = ProviderList.DEFAULT_MECH_OID;270271return wrapElement(gssManager, getElement(mech));272}273274/**275* This method may return false negatives. But if it says two276* names are equals, then there is some mechanism that277* authenticates them as the same principal.278*/279public boolean equals(GSSName other) throws GSSException {280281if (this.isAnonymous() || other.isAnonymous())282return false;283284if (other == this)285return true;286287if (! (other instanceof GSSNameImpl))288return equals(gssManager.createName(other.toString(),289other.getStringNameType()));290291/*292* XXX Do a comparison of the appNameStr/appNameBytes if293* available. If that fails, then proceed with this test.294*/295296GSSNameImpl that = (GSSNameImpl) other;297298GSSNameSpi myElement = this.mechElement;299GSSNameSpi element = that.mechElement;300301/*302* XXX If they are not of the same mechanism type, convert both to303* Kerberos since it is guaranteed to be present.304*/305if ((myElement == null) && (element != null)) {306myElement = this.getElement(element.getMechanism());307} else if ((myElement != null) && (element == null)) {308element = that.getElement(myElement.getMechanism());309}310311if (myElement != null && element != null) {312return myElement.equals(element);313}314315if ((this.appNameType != null) &&316(that.appNameType != null)) {317if (!this.appNameType.equals(that.appNameType)) {318return false;319}320byte[] myBytes =321(this.appNameStr != null ?322this.appNameStr.getBytes(UTF_8) :323this.appNameBytes);324byte[] bytes =325(that.appNameStr != null ?326that.appNameStr.getBytes(UTF_8) :327that.appNameBytes);328return Arrays.equals(myBytes, bytes);329}330331return false;332333}334335/**336* Returns a hashcode value for this GSSName.337*338* @return a hashCode value339*/340public int hashCode() {341/*342* XXX343* In order to get this to work reliably and properly(!), obtain a344* Kerberos name element for the name and then call hashCode on its345* string representation. But this cannot be done if the nametype346* is not one of those supported by the Kerberos provider and hence347* this name cannot be imported by Kerberos. In that case return a348* constant value!349*/350351return 1;352}353354public boolean equals(Object another) {355356try {357// XXX This can lead to an infinite loop. Extract info358// and create a GSSNameImpl with it.359360if (another instanceof GSSName)361return equals((GSSName) another);362} catch (GSSException e) {363// Squelch it and return false364}365366return false;367}368369/**370* Returns a flat name representation for this object. The name371* format is defined in RFC 2743:372*<pre>373* Length Name Description374* 2 TOK_ID Token Identifier375* For exported name objects, this376* must be hex 04 01.377* 2 MECH_OID_LEN Length of the Mechanism OID378* MECH_OID_LEN MECH_OID Mechanism OID, in DER379* 4 NAME_LEN Length of name380* NAME_LEN NAME Exported name; format defined in381* applicable mechanism draft.382*</pre>383*384* Note that it is not required to canonicalize a name before385* calling export(). i.e., the name need not be an MN. If it is386* not an MN, an implementation defined algorithm can be used for387* choosing the mechanism which should export this name.388*389* @return the flat name representation for this object390* @exception GSSException with major codes NAME_NOT_MN, BAD_NAME,391* BAD_NAME, FAILURE.392*/393public byte[] export() throws GSSException {394395if (mechElement == null) {396/* Use default mech */397mechElement = getElement(ProviderList.DEFAULT_MECH_OID);398}399400byte[] mechPortion = mechElement.export();401byte[] oidBytes = null;402ObjectIdentifier oid = null;403404try {405oid = ObjectIdentifier.of406(mechElement.getMechanism().toString());407} catch (IOException e) {408throw new GSSExceptionImpl(GSSException.FAILURE,409"Invalid OID String ");410}411DerOutputStream dout = new DerOutputStream();412try {413dout.putOID(oid);414} catch (IOException e) {415throw new GSSExceptionImpl(GSSException.FAILURE,416"Could not ASN.1 Encode "417+ oid.toString());418}419oidBytes = dout.toByteArray();420421byte[] retVal = new byte[2422+ 2 + oidBytes.length423+ 4 + mechPortion.length];424int pos = 0;425retVal[pos++] = 0x04;426retVal[pos++] = 0x01;427retVal[pos++] = (byte) (oidBytes.length>>>8);428retVal[pos++] = (byte) oidBytes.length;429System.arraycopy(oidBytes, 0, retVal, pos, oidBytes.length);430pos += oidBytes.length;431retVal[pos++] = (byte) (mechPortion.length>>>24);432retVal[pos++] = (byte) (mechPortion.length>>>16);433retVal[pos++] = (byte) (mechPortion.length>>>8);434retVal[pos++] = (byte) mechPortion.length;435System.arraycopy(mechPortion, 0, retVal, pos, mechPortion.length);436return retVal;437}438439public String toString() {440return printableName;441442}443444public Oid getStringNameType() throws GSSException {445return printableNameType;446}447448public boolean isAnonymous() {449if (printableNameType == null) {450return false;451} else {452return GSSName.NT_ANONYMOUS.equals(printableNameType);453}454}455456public boolean isMN() {457return true; // Since always canonicalized for some mech458}459460public synchronized GSSNameSpi getElement(Oid mechOid)461throws GSSException {462463GSSNameSpi retVal = elements.get(mechOid);464465if (retVal == null) {466if (appNameStr != null) {467retVal = gssManager.getNameElement468(appNameStr, appNameType, mechOid);469} else {470retVal = gssManager.getNameElement471(appNameBytes, appNameType, mechOid);472}473elements.put(mechOid, retVal);474}475return retVal;476}477478Set<GSSNameSpi> getElements() {479return new HashSet<GSSNameSpi>(elements.values());480}481482private static String getNameTypeStr(Oid nameTypeOid) {483484if (nameTypeOid == null)485return "(NT is null)";486487if (nameTypeOid.equals(NT_USER_NAME))488return "NT_USER_NAME";489if (nameTypeOid.equals(NT_HOSTBASED_SERVICE))490return "NT_HOSTBASED_SERVICE";491if (nameTypeOid.equals(NT_EXPORT_NAME))492return "NT_EXPORT_NAME";493if (nameTypeOid.equals(GSSUtil.NT_GSS_KRB5_PRINCIPAL))494return "NT_GSS_KRB5_PRINCIPAL";495else496return "Unknown";497}498}499500501