Path: blob/master/src/java.security.jgss/share/classes/sun/security/jgss/krb5/Krb5AcceptCredential.java
41161 views
/*1* Copyright (c) 2000, 2021, Oracle and/or its affiliates. All rights reserved.2* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.3*4* This code is free software; you can redistribute it and/or modify it5* under the terms of the GNU General Public License version 2 only, as6* published by the Free Software Foundation. Oracle designates this7* particular file as subject to the "Classpath" exception as provided8* by Oracle in the LICENSE file that accompanied this code.9*10* This code is distributed in the hope that it will be useful, but WITHOUT11* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or12* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License13* version 2 for more details (a copy is included in the LICENSE file that14* accompanied this code).15*16* You should have received a copy of the GNU General Public License version17* 2 along with this work; if not, write to the Free Software Foundation,18* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.19*20* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA21* or visit www.oracle.com if you need additional information or have any22* questions.23*/2425package sun.security.jgss.krb5;2627import java.io.IOException;28import org.ietf.jgss.*;29import sun.security.jgss.GSSCaller;30import sun.security.jgss.spi.*;31import sun.security.krb5.*;32import java.security.PrivilegedActionException;33import java.security.PrivilegedExceptionAction;34import java.security.AccessController;35import java.security.AccessControlContext;36import javax.security.auth.DestroyFailedException;3738/**39* Implements the krb5 acceptor credential element.40*41* @author Mayank Upadhyay42* @since 1.443*/44public class Krb5AcceptCredential45implements Krb5CredElement {4647private final Krb5NameElement name;48private final ServiceCreds screds;4950private Krb5AcceptCredential(Krb5NameElement name, ServiceCreds creds) {51/*52* Initialize this instance with the data from the acquired53* KerberosKey. This class needs to be a KerberosKey too54* hence we can't just store a reference.55*/5657this.name = name;58this.screds = creds;59}6061@SuppressWarnings("removal")62static Krb5AcceptCredential getInstance(final GSSCaller caller, Krb5NameElement name)63throws GSSException {6465final String serverPrinc = (name == null? null:66name.getKrb5PrincipalName().getName());67final AccessControlContext acc = AccessController.getContext();6869ServiceCreds creds = null;70try {71creds = AccessController.doPrivileged(72new PrivilegedExceptionAction<ServiceCreds>() {73public ServiceCreds run() throws Exception {74return Krb5Util.getServiceCreds(75caller == GSSCaller.CALLER_UNKNOWN ? GSSCaller.CALLER_ACCEPT: caller,76serverPrinc, acc);77}});78} catch (PrivilegedActionException e) {79GSSException ge =80new GSSException(GSSException.NO_CRED, -1,81"Attempt to obtain new ACCEPT credentials failed!");82ge.initCause(e.getException());83throw ge;84}8586if (creds == null)87throw new GSSException(GSSException.NO_CRED, -1,88"Failed to find any Kerberos credentials");8990if (name == null) {91String fullName = creds.getName();92if (fullName != null) {93name = Krb5NameElement.getInstance(fullName,94Krb5MechFactory.NT_GSS_KRB5_PRINCIPAL);95}96}9798return new Krb5AcceptCredential(name, creds);99}100101/**102* Returns the principal name for this credential. The name103* is in mechanism specific format.104*105* @return GSSNameSpi representing principal name of this credential106* @exception GSSException may be thrown107*/108public final GSSNameSpi getName() throws GSSException {109return name;110}111112/**113* Returns the init lifetime remaining.114*115* @return the init lifetime remaining in seconds116* @exception GSSException may be thrown117*/118public int getInitLifetime() throws GSSException {119return 0;120}121122/**123* Returns the accept lifetime remaining.124*125* @return the accept lifetime remaining in seconds126* @exception GSSException may be thrown127*/128public int getAcceptLifetime() throws GSSException {129return GSSCredential.INDEFINITE_LIFETIME;130}131132public boolean isInitiatorCredential() throws GSSException {133return false;134}135136public boolean isAcceptorCredential() throws GSSException {137return true;138}139140/**141* Returns the oid representing the underlying credential142* mechanism oid.143*144* @return the Oid for this credential mechanism145* @exception GSSException may be thrown146*/147public final Oid getMechanism() {148return Krb5MechFactory.GSS_KRB5_MECH_OID;149}150151public final java.security.Provider getProvider() {152return Krb5MechFactory.PROVIDER;153}154155public EncryptionKey[] getKrb5EncryptionKeys(PrincipalName princ) {156return screds.getEKeys(princ);157}158159/**160* Called to invalidate this credential element.161*/162public void dispose() throws GSSException {163try {164destroy();165} catch (DestroyFailedException e) {166GSSException gssException =167new GSSException(GSSException.FAILURE, -1,168"Could not destroy credentials - " + e.getMessage());169gssException.initCause(e);170}171}172173/**174* Destroys the locally cached EncryptionKey value and then calls175* destroy in the base class.176*/177public void destroy() throws DestroyFailedException {178screds.destroy();179}180181/**182* Impersonation is only available on the initiator side. The183* service must starts as an initiator to get an initial TGT to complete184* the S4U2self protocol.185*/186@Override187public GSSCredentialSpi impersonate(GSSNameSpi name) throws GSSException {188Credentials cred = screds.getInitCred();189if (cred != null) {190return Krb5InitCredential.getInstance(this.name, cred)191.impersonate(name);192} else {193throw new GSSException(GSSException.FAILURE, -1,194"Only an initiate credentials can impersonate");195}196}197}198199200